description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	104	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2836	schtasks.exe	30

resource	yara_rule
behavioral1/memory/1760-1-0x0000000000BF0000-0x0000000000CC6000-memory.dmp	dcrat
behavioral1/files/0x0005000000019926-11.dat	dcrat
behavioral1/memory/1624-41-0x0000000001360000-0x0000000001436000-memory.dmp	dcrat

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\spoolsv.exe	portperf.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\spoolsv.exe	portperf.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\886983d96e3d3e	portperf.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\f3b6ecef712a24	portperf.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\7a0fd90576e088	portperf.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\OSPPSVC.exe	portperf.exe
File created	C:\Program Files\Common Files\SpeechEngines\smss.exe	portperf.exe
File created	C:\Program Files\Common Files\SpeechEngines\69ddcba757bf72	portperf.exe
File created	C:\Program Files\Windows Defender\fr-FR\f3b6ecef712a24	portperf.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\explorer.exe	portperf.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\1610b97d3ab4a7	portperf.exe
File created	C:\Program Files\7-Zip\Lang\System.exe	portperf.exe
File created	C:\Program Files\Windows Defender\fr-FR\spoolsv.exe	portperf.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe	portperf.exe
File created	C:\Program Files\7-Zip\Lang\27d1bcfc3c54e0	portperf.exe

description	ioc	Process
File created	C:\Windows\Cursors\dllhost.exe	portperf.exe
File created	C:\Windows\Cursors\5940a34987c991	portperf.exe
File created	C:\Windows\de-DE\Idle.exe	portperf.exe
File created	C:\Windows\de-DE\6ccacd8608530f	portperf.exe

pid	Process
1760	portperf.exe
1760	portperf.exe
1760	portperf.exe
1760	portperf.exe
1760	portperf.exe
1760	portperf.exe
1760	portperf.exe
1760	portperf.exe
1760	portperf.exe
1760	portperf.exe
1760	portperf.exe
1624	spoolsv.exe
1624	spoolsv.exe
1624	spoolsv.exe
1624	spoolsv.exe
1624	spoolsv.exe
1624	spoolsv.exe
1624	spoolsv.exe
1624	spoolsv.exe
1624	spoolsv.exe

description	pid	Process
Token: SeDebugPrivilege	1760	portperf.exe
Token: SeDebugPrivilege	1624	spoolsv.exe

description	pid	Process	procid_target
PID 1760 wrote to memory of 1648	1760	portperf.exe	76
PID 1760 wrote to memory of 1648	1760	portperf.exe	76
PID 1760 wrote to memory of 1648	1760	portperf.exe	76
PID 1648 wrote to memory of 1012	1648	cmd.exe	78
PID 1648 wrote to memory of 1012	1648	cmd.exe	78
PID 1648 wrote to memory of 1012	1648	cmd.exe	78
PID 1648 wrote to memory of 1624	1648	cmd.exe	79
PID 1648 wrote to memory of 1624	1648	cmd.exe	79
PID 1648 wrote to memory of 1624	1648	cmd.exe	79

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads