Analysis
-
max time kernel
590s -
max time network
601s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 15:19
General
-
Target
nursultan nexgen fix.exe
-
Size
1.5MB
-
MD5
a3d07c747770c9a471a44446e46e33d5
-
SHA1
8340534fb1770bae9660287ddb0496e243efcfe4
-
SHA256
16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
-
SHA512
307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99
-
SSDEEP
24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3736 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3160 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 340 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3804 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2380 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1292 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3084 3008 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4932 3008 schtasks.exe -
Processes:
resource yara_rule C:\portagentbrowserweb\Containerruntime.exe dcrat behavioral1/memory/2688-13-0x00000000008F0000-0x0000000000A22000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
nursultan nexgen fix.exeWScript.exeContainerruntime.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation nursultan nexgen fix.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Containerruntime.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 8 IoCs
Processes:
Containerruntime.execmd.exeNursuItanLoader_1.16.exeMemZ.exeRuntimeBroker.execmd.exesysmon.exelsass.exepid process 2688 Containerruntime.exe 3752 cmd.exe 736 NursuItanLoader_1.16.exe 2960 MemZ.exe 3200 RuntimeBroker.exe 1988 cmd.exe 1244 sysmon.exe 1296 lsass.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 8 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\121e5b5079f7c0 Containerruntime.exe File created C:\Program Files (x86)\Google\Temp\lsass.exe Containerruntime.exe File created C:\Program Files (x86)\Google\Temp\6203df4a6bafc7 Containerruntime.exe File created C:\Program Files\Common Files\DESIGNER\upfc.exe Containerruntime.exe File created C:\Program Files\Common Files\DESIGNER\ea1d8f6d871115 Containerruntime.exe File created C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe Containerruntime.exe File created C:\Program Files (x86)\Windows Multimedia Platform\29c1c3cc0f7685 Containerruntime.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe Containerruntime.exe -
Drops file in Windows directory 4 IoCs
Processes:
mspaint.exemspaint.exemspaint.exemspaint.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2268 schtasks.exe 3160 schtasks.exe 1976 schtasks.exe 2856 schtasks.exe 2240 schtasks.exe 1032 schtasks.exe 2256 schtasks.exe 1900 schtasks.exe 3736 schtasks.exe 3040 schtasks.exe 2872 schtasks.exe 1108 schtasks.exe 1600 schtasks.exe 1292 schtasks.exe 3084 schtasks.exe 4932 schtasks.exe 340 schtasks.exe 3804 schtasks.exe 2380 schtasks.exe 1956 schtasks.exe 2576 schtasks.exe -
Modifies registry class 3 IoCs
Processes:
nursultan nexgen fix.execmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings nursultan nexgen fix.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings OpenWith.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes:
Containerruntime.execmd.exemspaint.exemspaint.exemspaint.exemspaint.exepid process 2688 Containerruntime.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 2900 mspaint.exe 2900 mspaint.exe 1652 mspaint.exe 1652 mspaint.exe 3812 mspaint.exe 3812 mspaint.exe 3980 mspaint.exe 3980 mspaint.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe 3752 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
cmd.exepid process 3752 cmd.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Containerruntime.execmd.exeRuntimeBroker.execmd.exesysmon.exelsass.exedescription pid process Token: SeDebugPrivilege 2688 Containerruntime.exe Token: SeDebugPrivilege 3752 cmd.exe Token: SeDebugPrivilege 3200 RuntimeBroker.exe Token: SeDebugPrivilege 1988 cmd.exe Token: SeDebugPrivilege 1244 sysmon.exe Token: SeDebugPrivilege 1296 lsass.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
Processes:
mspaint.exemspaint.exemspaint.exemspaint.exeOpenWith.exepid process 2900 mspaint.exe 2900 mspaint.exe 1652 mspaint.exe 2900 mspaint.exe 2900 mspaint.exe 1652 mspaint.exe 1652 mspaint.exe 1652 mspaint.exe 3812 mspaint.exe 3812 mspaint.exe 3980 mspaint.exe 3812 mspaint.exe 3812 mspaint.exe 3980 mspaint.exe 3980 mspaint.exe 3980 mspaint.exe 700 OpenWith.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
nursultan nexgen fix.exeWScript.execmd.exeContainerruntime.execmd.exedescription pid process target process PID 2820 wrote to memory of 1716 2820 nursultan nexgen fix.exe WScript.exe PID 2820 wrote to memory of 1716 2820 nursultan nexgen fix.exe WScript.exe PID 2820 wrote to memory of 1716 2820 nursultan nexgen fix.exe WScript.exe PID 1716 wrote to memory of 1196 1716 WScript.exe cmd.exe PID 1716 wrote to memory of 1196 1716 WScript.exe cmd.exe PID 1716 wrote to memory of 1196 1716 WScript.exe cmd.exe PID 1196 wrote to memory of 2688 1196 cmd.exe Containerruntime.exe PID 1196 wrote to memory of 2688 1196 cmd.exe Containerruntime.exe PID 2688 wrote to memory of 3752 2688 Containerruntime.exe cmd.exe PID 2688 wrote to memory of 3752 2688 Containerruntime.exe cmd.exe PID 1196 wrote to memory of 1320 1196 cmd.exe reg.exe PID 1196 wrote to memory of 1320 1196 cmd.exe reg.exe PID 1196 wrote to memory of 1320 1196 cmd.exe reg.exe PID 3752 wrote to memory of 736 3752 cmd.exe NursuItanLoader_1.16.exe PID 3752 wrote to memory of 736 3752 cmd.exe NursuItanLoader_1.16.exe PID 3752 wrote to memory of 2960 3752 cmd.exe MemZ.exe PID 3752 wrote to memory of 2960 3752 cmd.exe MemZ.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\portagentbrowserweb\cmd.exe"C:\portagentbrowserweb\cmd.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\NursuItanLoader_1.16.exe"C:\Users\Admin\AppData\Local\Temp\NursuItanLoader_1.16.exe"6⤵
- Executes dropped EXE
PID:736 -
C:\Users\Admin\AppData\Local\Temp\MemZ.exe"C:\Users\Admin\AppData\Local\Temp\MemZ.exe"6⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\portagentbrowserweb\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\portagentbrowserweb\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\portagentbrowserweb\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\DESIGNER\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\DESIGNER\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Cookies\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\InstallMove.bmp"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2900
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\InstallMove.bmp"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:3080
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\InstallMove.bmp"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3812
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\InstallMove.bmp"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3980
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:700
-
C:\Users\Admin\Cookies\RuntimeBroker.exeC:\Users\Admin\Cookies\RuntimeBroker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3200
-
C:\portagentbrowserweb\cmd.exeC:\portagentbrowserweb\cmd.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sysmon.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
C:\Program Files (x86)\Google\Temp\lsass.exe"C:\Program Files (x86)\Google\Temp\lsass.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MemZ.exeFilesize
10KB
MD5424755b9f13cdb742d503836bf09e63e
SHA1b4cdc234fdca58519edf14fa3b0bb3a522249440
SHA256e0e95c4be30bc2199018c4a44b4df874ee991665d0aff048e39b1c905cc9da56
SHA51229dd79ca6d2e451da0b0597c1d6b4cd860a8641438f139dcd3ecc02ecd0a638feb28e41b2088fc2e360b27f5c343b1843889686070307bdb26077593791972b7
-
C:\Users\Admin\AppData\Local\Temp\NursuItanLoader_1.16.exeFilesize
578KB
MD5c79991b2359aede893bcd2e0a962378d
SHA180ae9ddcdebe17c2af22c33ac1137d1811dbb0af
SHA2565b706a3df72925ddcde585b41a82d76dda513d86b81d7d527f2990d5fd5218b6
SHA51251f9274d30ba40a434fbc7930a8bbb0f9b75bb9184bcb35bf227761df71587bbfde28157a4e7ac29e1d119509dfd5882bef478d1bd3f6cbe813748077dbfcdb6
-
C:\Windows\Debug\WIA\wiatrace.logFilesize
2KB
MD5340b78795385833955856bbc35168ab4
SHA10eff6d3568a4c0a08fa63e64270a8e992e608323
SHA25673200e842ffedcd51958171143f85dacfca98a4719cb10ffa71a34c65b026032
SHA51221f2883dde27c6520116f4000ea7b4dfb8c7b8be8de953d13bc1a6caa55000176710b7e166ac9cc31bc786f3b23049d957f1f9167d99f6e4ebfc6670f6e95846
-
C:\Windows\Debug\WIA\wiatrace.logFilesize
3KB
MD56fcf80bf6c7e2cf9dad0f8b61f4e4671
SHA1bf0083943118dfeed0e76748cdc395cf73e3433b
SHA2561e049f0db03a3cc3f563452a87a041f587e96ee745aca5600a9fd13955816897
SHA512b49f7af780edaa9a3d0d4108d9ca5f2662e17b5e886ed5d617f1f981d54947eb2f661e121ff76fc44afb4004bed01a18b61f0f01cf59640cb5d47ca24ed11fa5
-
C:\Windows\Debug\WIA\wiatrace.logFilesize
4KB
MD5d943abc80ab89c23a92a39dfb4c236af
SHA1fc0ed0290513c33bca1297beba7b36c6ca245391
SHA2568a18b888142322b3be37ff134d87fa49b88f14fb762348d30f1590547b1de11a
SHA51241ce434ca1c1805c179098c893205f218b190418ef528d85efd594a903edf8960da11f11565d435c7ab67e7e3c60efb4b0afede66bead5e77c9cf66e8b86d52b
-
C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.batFilesize
157B
MD5c8f8a078dace2ff4cb106803c9199643
SHA1a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5
SHA2561b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d
SHA512efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999
-
C:\portagentbrowserweb\Containerruntime.exeFilesize
1.2MB
MD55887a563351ca99247b7e2c448bd9f2e
SHA1b24695e88143863297535989900bb7521ea86d67
SHA256e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390
SHA512b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107
-
C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbeFilesize
220B
MD561a07f2f9e8e9b1f5175b2d60c3e3f18
SHA1e695b0c2b43c786453bf3f6ae504f0626951d281
SHA2565c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1
SHA5128ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d
-
memory/736-116-0x00000000009B0000-0x0000000000A46000-memory.dmpFilesize
600KB
-
memory/2688-13-0x00000000008F0000-0x0000000000A22000-memory.dmpFilesize
1.2MB
-
memory/2688-17-0x000000001B570000-0x000000001B57C000-memory.dmpFilesize
48KB
-
memory/2688-16-0x000000001B550000-0x000000001B566000-memory.dmpFilesize
88KB
-
memory/2688-15-0x000000001B5A0000-0x000000001B5F0000-memory.dmpFilesize
320KB
-
memory/2688-14-0x0000000002AB0000-0x0000000002ACC000-memory.dmpFilesize
112KB
-
memory/2688-12-0x00007FFF5D873000-0x00007FFF5D875000-memory.dmpFilesize
8KB
-
memory/2960-129-0x0000000000A30000-0x0000000000A38000-memory.dmpFilesize
32KB