Analysis
-
max time kernel
1187s -
max time network
1196s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 15:18
General
-
Target
nursultan nexgen fix.exe
-
Size
1.5MB
-
MD5
a3d07c747770c9a471a44446e46e33d5
-
SHA1
8340534fb1770bae9660287ddb0496e243efcfe4
-
SHA256
16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
-
SHA512
307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99
-
SSDEEP
24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4968 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5032 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3532 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3540 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1356 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4352 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2352 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3476 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1768 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4272 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4228 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2120 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4720 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1164 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4696 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3544 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3528 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4588 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4524 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2560 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1936 2560 schtasks.exe -
Processes:
resource yara_rule C:\portagentbrowserweb\Containerruntime.exe dcrat behavioral1/memory/224-13-0x00000000005F0000-0x0000000000722000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
nursultan nexgen fix.exeWScript.exeContainerruntime.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation nursultan nexgen fix.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation Containerruntime.exe -
Executes dropped EXE 22 IoCs
Processes:
Containerruntime.exeRuntimeBroker.execonhost.exeOfficeClickToRun.exeTextInputHost.exeWmiPrvSE.exespoolsv.exeservices.exeupfc.exeRuntimeBroker.execonhost.exesysmon.exesihost.exeOfficeClickToRun.exeTextInputHost.exeWmiPrvSE.exespoolsv.exeservices.execonhost.exeupfc.exeRuntimeBroker.execonhost.exepid process 224 Containerruntime.exe 4580 RuntimeBroker.exe 4464 conhost.exe 4556 OfficeClickToRun.exe 4600 TextInputHost.exe 2528 WmiPrvSE.exe 1572 spoolsv.exe 4332 services.exe 1172 upfc.exe 1012 RuntimeBroker.exe 440 conhost.exe 4464 sysmon.exe 3124 sihost.exe 4796 OfficeClickToRun.exe 4920 TextInputHost.exe 3344 WmiPrvSE.exe 1780 spoolsv.exe 3892 services.exe 2752 conhost.exe 5004 upfc.exe 3956 RuntimeBroker.exe 1888 conhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 10 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Program Files (x86)\Common Files\24dbde2999530e Containerruntime.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\services.exe Containerruntime.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\c5b4cb5e9653cc Containerruntime.exe File created C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe Containerruntime.exe File created C:\Program Files\dotnet\121e5b5079f7c0 Containerruntime.exe File created C:\Program Files\Internet Explorer\ja-JP\9e8d7a4ca61bd9 Containerruntime.exe File created C:\Program Files\Windows Photo Viewer\de-DE\OfficeClickToRun.exe Containerruntime.exe File created C:\Program Files\Windows Photo Viewer\de-DE\e6c9b481da804f Containerruntime.exe File created C:\Program Files (x86)\Common Files\WmiPrvSE.exe Containerruntime.exe File created C:\Program Files\dotnet\sysmon.exe Containerruntime.exe -
Drops file in Windows directory 3 IoCs
Processes:
Containerruntime.exedescription ioc process File created C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe Containerruntime.exe File opened for modification C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe Containerruntime.exe File created C:\Windows\GameBarPresenceWriter\e6c9b481da804f Containerruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3476 schtasks.exe 4228 schtasks.exe 1036 schtasks.exe 3540 schtasks.exe 2108 schtasks.exe 1484 schtasks.exe 1808 schtasks.exe 2352 schtasks.exe 2296 schtasks.exe 2992 schtasks.exe 3544 schtasks.exe 3532 schtasks.exe 1612 schtasks.exe 4352 schtasks.exe 4272 schtasks.exe 2120 schtasks.exe 4968 schtasks.exe 4696 schtasks.exe 4952 schtasks.exe 3528 schtasks.exe 1768 schtasks.exe 2764 schtasks.exe 1704 schtasks.exe 4720 schtasks.exe 3000 schtasks.exe 4588 schtasks.exe 2384 schtasks.exe 5032 schtasks.exe 4984 schtasks.exe 1536 schtasks.exe 1356 schtasks.exe 1164 schtasks.exe 2556 schtasks.exe 4524 schtasks.exe 1936 schtasks.exe 1668 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
Containerruntime.exenursultan nexgen fix.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings Containerruntime.exe Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings nursultan nexgen fix.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
Containerruntime.exeRuntimeBroker.exepid process 224 Containerruntime.exe 224 Containerruntime.exe 224 Containerruntime.exe 224 Containerruntime.exe 224 Containerruntime.exe 224 Containerruntime.exe 224 Containerruntime.exe 224 Containerruntime.exe 224 Containerruntime.exe 224 Containerruntime.exe 224 Containerruntime.exe 4580 RuntimeBroker.exe 4580 RuntimeBroker.exe 4580 RuntimeBroker.exe 4580 RuntimeBroker.exe 4580 RuntimeBroker.exe 4580 RuntimeBroker.exe 4580 RuntimeBroker.exe 4580 RuntimeBroker.exe 4580 RuntimeBroker.exe 4580 RuntimeBroker.exe 4580 RuntimeBroker.exe 4580 RuntimeBroker.exe 4580 RuntimeBroker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RuntimeBroker.exepid process 4580 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
Containerruntime.exeRuntimeBroker.execonhost.exeOfficeClickToRun.exeTextInputHost.exespoolsv.exeWmiPrvSE.exeservices.exeupfc.exeRuntimeBroker.execonhost.exesysmon.exesihost.exeOfficeClickToRun.exeTextInputHost.exeWmiPrvSE.exespoolsv.exeservices.execonhost.exeupfc.exeRuntimeBroker.execonhost.exedescription pid process Token: SeDebugPrivilege 224 Containerruntime.exe Token: SeDebugPrivilege 4580 RuntimeBroker.exe Token: SeDebugPrivilege 4464 conhost.exe Token: SeDebugPrivilege 4556 OfficeClickToRun.exe Token: SeDebugPrivilege 4600 TextInputHost.exe Token: SeDebugPrivilege 1572 spoolsv.exe Token: SeDebugPrivilege 2528 WmiPrvSE.exe Token: SeDebugPrivilege 4332 services.exe Token: SeDebugPrivilege 1172 upfc.exe Token: SeDebugPrivilege 1012 RuntimeBroker.exe Token: SeDebugPrivilege 440 conhost.exe Token: SeDebugPrivilege 4464 sysmon.exe Token: SeDebugPrivilege 3124 sihost.exe Token: SeDebugPrivilege 4796 OfficeClickToRun.exe Token: SeDebugPrivilege 4920 TextInputHost.exe Token: SeDebugPrivilege 3344 WmiPrvSE.exe Token: SeDebugPrivilege 1780 spoolsv.exe Token: SeDebugPrivilege 3892 services.exe Token: SeDebugPrivilege 2752 conhost.exe Token: SeDebugPrivilege 5004 upfc.exe Token: SeDebugPrivilege 3956 RuntimeBroker.exe Token: SeDebugPrivilege 1888 conhost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
nursultan nexgen fix.exeWScript.execmd.exeContainerruntime.execmd.exedescription pid process target process PID 4960 wrote to memory of 2160 4960 nursultan nexgen fix.exe WScript.exe PID 4960 wrote to memory of 2160 4960 nursultan nexgen fix.exe WScript.exe PID 4960 wrote to memory of 2160 4960 nursultan nexgen fix.exe WScript.exe PID 2160 wrote to memory of 4392 2160 WScript.exe cmd.exe PID 2160 wrote to memory of 4392 2160 WScript.exe cmd.exe PID 2160 wrote to memory of 4392 2160 WScript.exe cmd.exe PID 4392 wrote to memory of 224 4392 cmd.exe Containerruntime.exe PID 4392 wrote to memory of 224 4392 cmd.exe Containerruntime.exe PID 224 wrote to memory of 4304 224 Containerruntime.exe cmd.exe PID 224 wrote to memory of 4304 224 Containerruntime.exe cmd.exe PID 4392 wrote to memory of 1560 4392 cmd.exe reg.exe PID 4392 wrote to memory of 1560 4392 cmd.exe reg.exe PID 4392 wrote to memory of 1560 4392 cmd.exe reg.exe PID 4304 wrote to memory of 2520 4304 cmd.exe w32tm.exe PID 4304 wrote to memory of 2520 4304 cmd.exe w32tm.exe PID 4304 wrote to memory of 4580 4304 cmd.exe RuntimeBroker.exe PID 4304 wrote to memory of 4580 4304 cmd.exe RuntimeBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mhkL5UGXK6.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2520
-
C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4580 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\GameBarPresenceWriter\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\portagentbrowserweb\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\portagentbrowserweb\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\portagentbrowserweb\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\portagentbrowserweb\TextInputHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\portagentbrowserweb\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\portagentbrowserweb\TextInputHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\portagentbrowserweb\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\portagentbrowserweb\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\portagentbrowserweb\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\dotnet\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936
-
C:\Recovery\WindowsRE\conhost.exeC:\Recovery\WindowsRE\conhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
C:\Program Files\Windows Photo Viewer\de-DE\OfficeClickToRun.exe"C:\Program Files\Windows Photo Viewer\de-DE\OfficeClickToRun.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
C:\portagentbrowserweb\TextInputHost.exeC:\portagentbrowserweb\TextInputHost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4600
-
C:\Program Files (x86)\Common Files\WmiPrvSE.exe"C:\Program Files (x86)\Common Files\WmiPrvSE.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
C:\portagentbrowserweb\spoolsv.exeC:\portagentbrowserweb\spoolsv.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\services.exe"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\services.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
C:\Recovery\WindowsRE\upfc.exeC:\Recovery\WindowsRE\upfc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1012
-
C:\Recovery\WindowsRE\conhost.exeC:\Recovery\WindowsRE\conhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:440
-
C:\Program Files\dotnet\sysmon.exe"C:\Program Files\dotnet\sysmon.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
C:\Recovery\WindowsRE\sihost.exeC:\Recovery\WindowsRE\sihost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
C:\Program Files\Windows Photo Viewer\de-DE\OfficeClickToRun.exe"C:\Program Files\Windows Photo Viewer\de-DE\OfficeClickToRun.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4796
-
C:\portagentbrowserweb\TextInputHost.exeC:\portagentbrowserweb\TextInputHost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
C:\Program Files (x86)\Common Files\WmiPrvSE.exe"C:\Program Files (x86)\Common Files\WmiPrvSE.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3344
-
C:\portagentbrowserweb\spoolsv.exeC:\portagentbrowserweb\spoolsv.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\services.exe"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\services.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
C:\Recovery\WindowsRE\conhost.exeC:\Recovery\WindowsRE\conhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
C:\Recovery\WindowsRE\upfc.exeC:\Recovery\WindowsRE\upfc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
C:\Recovery\WindowsRE\conhost.exeC:\Recovery\WindowsRE\conhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.logFilesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
C:\Users\Admin\AppData\Local\Temp\mhkL5UGXK6.batFilesize
223B
MD55d1e9f05ff07a8af0239e89566f57a8a
SHA1a1919e37838f587d3185dab332b40d8a8b40ce7b
SHA25639f851eab7acef9f55f091f6efcb40a3be44ec42c4ea4ece4c5b46939d419d1e
SHA512434e99eb40716ef87f145b68835d0bad1878698eec53f8c83be4d04a3e3f67660975ff38273b7ea176003c62b952161ecac67984222bd5008f96091b0bba3992
-
C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.batFilesize
157B
MD5c8f8a078dace2ff4cb106803c9199643
SHA1a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5
SHA2561b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d
SHA512efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999
-
C:\portagentbrowserweb\Containerruntime.exeFilesize
1.2MB
MD55887a563351ca99247b7e2c448bd9f2e
SHA1b24695e88143863297535989900bb7521ea86d67
SHA256e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390
SHA512b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107
-
C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbeFilesize
220B
MD561a07f2f9e8e9b1f5175b2d60c3e3f18
SHA1e695b0c2b43c786453bf3f6ae504f0626951d281
SHA2565c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1
SHA5128ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d
-
memory/224-12-0x00007FFF0A813000-0x00007FFF0A815000-memory.dmpFilesize
8KB
-
memory/224-13-0x00000000005F0000-0x0000000000722000-memory.dmpFilesize
1.2MB
-
memory/224-14-0x0000000002830000-0x000000000284C000-memory.dmpFilesize
112KB
-
memory/224-16-0x0000000002850000-0x0000000002866000-memory.dmpFilesize
88KB
-
memory/224-15-0x000000001B310000-0x000000001B360000-memory.dmpFilesize
320KB
-
memory/224-17-0x0000000002870000-0x000000000287C000-memory.dmpFilesize
48KB