Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/01/2025, 02:35
Behavioral task
behavioral1
Sample
595fab3363e5c90ecf3f7375a0b82d996c96b6a0307ad31e6d79dde07eeb8595.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
595fab3363e5c90ecf3f7375a0b82d996c96b6a0307ad31e6d79dde07eeb8595.exe
Resource
win10v2004-20241007-en
General
-
Target
595fab3363e5c90ecf3f7375a0b82d996c96b6a0307ad31e6d79dde07eeb8595.exe
-
Size
1.1MB
-
MD5
490aa1e56fab47858d780a9fdbafb5bf
-
SHA1
337d8c93caf41a62f0720ae1f0c02d262ac0a274
-
SHA256
595fab3363e5c90ecf3f7375a0b82d996c96b6a0307ad31e6d79dde07eeb8595
-
SHA512
7ff8f6983c789f78f67063745fef92040bb5cb88463e82f6a9f05ba0b48021bd2c541cec6e06726748547f0800abd14dd52fe798feddcb1427a46b87619a4f00
-
SSDEEP
24576:2TbBv5rUyXV0VTney9cyQJMA+b3iE0nHA6E:IBJgTney9clmA+b3KHe
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\SppExtComObj.exe\", \"C:\\Users\\Default\\Pictures\\dwm.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\", \"C:\\ProviderserverruntimeperfSvc\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\ProviderserverruntimeperfSvc\\ChainPortsurrogate.exe\"" ChainPortsurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\SppExtComObj.exe\"" ChainPortsurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\SppExtComObj.exe\", \"C:\\Users\\Default\\Pictures\\dwm.exe\"" ChainPortsurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\SppExtComObj.exe\", \"C:\\Users\\Default\\Pictures\\dwm.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\"" ChainPortsurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\SppExtComObj.exe\", \"C:\\Users\\Default\\Pictures\\dwm.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\", \"C:\\ProviderserverruntimeperfSvc\\dwm.exe\"" ChainPortsurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\SppExtComObj.exe\", \"C:\\Users\\Default\\Pictures\\dwm.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\", \"C:\\ProviderserverruntimeperfSvc\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\"" ChainPortsurrogate.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3092 884 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 884 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 884 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4228 884 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4060 884 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 376 884 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 860 884 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 884 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4612 884 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3692 884 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 884 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5040 884 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 884 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1388 884 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4432 884 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 884 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3944 884 schtasks.exe 86 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3144 884 schtasks.exe 86 -
DCRat payload 2 IoCs
resource yara_rule behavioral2/files/0x000e000000023b85-10.dat family_dcrat_v2 behavioral2/memory/2376-13-0x0000000000830000-0x0000000000904000-memory.dmp family_dcrat_v2 -
Checks computer location settings 2 TTPs 18 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ChainPortsurrogate.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ChainPortsurrogate.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ChainPortsurrogate.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ChainPortsurrogate.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ChainPortsurrogate.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ChainPortsurrogate.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ChainPortsurrogate.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ChainPortsurrogate.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ChainPortsurrogate.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ChainPortsurrogate.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ChainPortsurrogate.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ChainPortsurrogate.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 595fab3363e5c90ecf3f7375a0b82d996c96b6a0307ad31e6d79dde07eeb8595.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ChainPortsurrogate.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ChainPortsurrogate.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ChainPortsurrogate.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation ChainPortsurrogate.exe -
Executes dropped EXE 16 IoCs
pid Process 2376 ChainPortsurrogate.exe 3160 ChainPortsurrogate.exe 1944 ChainPortsurrogate.exe 840 ChainPortsurrogate.exe 3516 ChainPortsurrogate.exe 2500 ChainPortsurrogate.exe 1460 ChainPortsurrogate.exe 4708 ChainPortsurrogate.exe 4368 ChainPortsurrogate.exe 4544 ChainPortsurrogate.exe 3700 ChainPortsurrogate.exe 1060 ChainPortsurrogate.exe 4216 ChainPortsurrogate.exe 4740 ChainPortsurrogate.exe 1256 ChainPortsurrogate.exe 1452 ChainPortsurrogate.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\ProviderserverruntimeperfSvc\\dwm.exe\"" ChainPortsurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChainPortsurrogate = "\"C:\\ProviderserverruntimeperfSvc\\ChainPortsurrogate.exe\"" ChainPortsurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default\\Pictures\\dwm.exe\"" ChainPortsurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\"" ChainPortsurrogate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default\\Pictures\\dwm.exe\"" ChainPortsurrogate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\services.exe\"" ChainPortsurrogate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\ProviderserverruntimeperfSvc\\dwm.exe\"" ChainPortsurrogate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\"" ChainPortsurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\"" ChainPortsurrogate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChainPortsurrogate = "\"C:\\ProviderserverruntimeperfSvc\\ChainPortsurrogate.exe\"" ChainPortsurrogate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Public\\SppExtComObj.exe\"" ChainPortsurrogate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Users\\Public\\SppExtComObj.exe\"" ChainPortsurrogate.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSCF72B44DD612C48DC85141C1D8CCE4615.TMP csc.exe File created \??\c:\Windows\System32\enb1sa.exe csc.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\services.exe ChainPortsurrogate.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\c5b4cb5e9653cc ChainPortsurrogate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 595fab3363e5c90ecf3f7375a0b82d996c96b6a0307ad31e6d79dde07eeb8595.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4976 PING.EXE 5068 PING.EXE 524 PING.EXE 2660 PING.EXE 3052 PING.EXE 2060 PING.EXE 1104 PING.EXE 1752 PING.EXE -
Modifies registry class 17 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings ChainPortsurrogate.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings ChainPortsurrogate.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings ChainPortsurrogate.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings ChainPortsurrogate.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings ChainPortsurrogate.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings ChainPortsurrogate.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings ChainPortsurrogate.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings ChainPortsurrogate.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings ChainPortsurrogate.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings 595fab3363e5c90ecf3f7375a0b82d996c96b6a0307ad31e6d79dde07eeb8595.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings ChainPortsurrogate.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings ChainPortsurrogate.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings ChainPortsurrogate.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings ChainPortsurrogate.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings ChainPortsurrogate.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings ChainPortsurrogate.exe Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings ChainPortsurrogate.exe -
Runs ping.exe 1 TTPs 8 IoCs
pid Process 524 PING.EXE 2660 PING.EXE 3052 PING.EXE 2060 PING.EXE 1104 PING.EXE 1752 PING.EXE 4976 PING.EXE 5068 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4432 schtasks.exe 3144 schtasks.exe 4228 schtasks.exe 376 schtasks.exe 2164 schtasks.exe 1064 schtasks.exe 3944 schtasks.exe 860 schtasks.exe 4612 schtasks.exe 2592 schtasks.exe 5040 schtasks.exe 3092 schtasks.exe 4060 schtasks.exe 3692 schtasks.exe 4388 schtasks.exe 1388 schtasks.exe 2344 schtasks.exe 880 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe 2376 ChainPortsurrogate.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 2376 ChainPortsurrogate.exe Token: SeDebugPrivilege 3160 ChainPortsurrogate.exe Token: SeDebugPrivilege 1944 ChainPortsurrogate.exe Token: SeDebugPrivilege 840 ChainPortsurrogate.exe Token: SeDebugPrivilege 3516 ChainPortsurrogate.exe Token: SeDebugPrivilege 2500 ChainPortsurrogate.exe Token: SeDebugPrivilege 1460 ChainPortsurrogate.exe Token: SeDebugPrivilege 4708 ChainPortsurrogate.exe Token: SeDebugPrivilege 4368 ChainPortsurrogate.exe Token: SeDebugPrivilege 4544 ChainPortsurrogate.exe Token: SeDebugPrivilege 3700 ChainPortsurrogate.exe Token: SeDebugPrivilege 1060 ChainPortsurrogate.exe Token: SeDebugPrivilege 4216 ChainPortsurrogate.exe Token: SeDebugPrivilege 4740 ChainPortsurrogate.exe Token: SeDebugPrivilege 1256 ChainPortsurrogate.exe Token: SeDebugPrivilege 1452 ChainPortsurrogate.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1248 wrote to memory of 4496 1248 595fab3363e5c90ecf3f7375a0b82d996c96b6a0307ad31e6d79dde07eeb8595.exe 82 PID 1248 wrote to memory of 4496 1248 595fab3363e5c90ecf3f7375a0b82d996c96b6a0307ad31e6d79dde07eeb8595.exe 82 PID 1248 wrote to memory of 4496 1248 595fab3363e5c90ecf3f7375a0b82d996c96b6a0307ad31e6d79dde07eeb8595.exe 82 PID 4496 wrote to memory of 2460 4496 WScript.exe 87 PID 4496 wrote to memory of 2460 4496 WScript.exe 87 PID 4496 wrote to memory of 2460 4496 WScript.exe 87 PID 2460 wrote to memory of 2376 2460 cmd.exe 89 PID 2460 wrote to memory of 2376 2460 cmd.exe 89 PID 2376 wrote to memory of 2564 2376 ChainPortsurrogate.exe 93 PID 2376 wrote to memory of 2564 2376 ChainPortsurrogate.exe 93 PID 2564 wrote to memory of 4080 2564 csc.exe 95 PID 2564 wrote to memory of 4080 2564 csc.exe 95 PID 2376 wrote to memory of 1856 2376 ChainPortsurrogate.exe 111 PID 2376 wrote to memory of 1856 2376 ChainPortsurrogate.exe 111 PID 1856 wrote to memory of 2548 1856 cmd.exe 113 PID 1856 wrote to memory of 2548 1856 cmd.exe 113 PID 1856 wrote to memory of 3648 1856 cmd.exe 114 PID 1856 wrote to memory of 3648 1856 cmd.exe 114 PID 1856 wrote to memory of 3160 1856 cmd.exe 118 PID 1856 wrote to memory of 3160 1856 cmd.exe 118 PID 3160 wrote to memory of 636 3160 ChainPortsurrogate.exe 119 PID 3160 wrote to memory of 636 3160 ChainPortsurrogate.exe 119 PID 636 wrote to memory of 2384 636 cmd.exe 121 PID 636 wrote to memory of 2384 636 cmd.exe 121 PID 636 wrote to memory of 3052 636 cmd.exe 122 PID 636 wrote to memory of 3052 636 cmd.exe 122 PID 636 wrote to memory of 1944 636 cmd.exe 123 PID 636 wrote to memory of 1944 636 cmd.exe 123 PID 1944 wrote to memory of 3380 1944 ChainPortsurrogate.exe 124 PID 1944 wrote to memory of 3380 1944 ChainPortsurrogate.exe 124 PID 3380 wrote to memory of 640 3380 cmd.exe 126 PID 3380 wrote to memory of 640 3380 cmd.exe 126 PID 3380 wrote to memory of 2060 3380 cmd.exe 127 PID 3380 wrote to memory of 2060 3380 cmd.exe 127 PID 3380 wrote to memory of 840 3380 cmd.exe 130 PID 3380 wrote to memory of 840 3380 cmd.exe 130 PID 840 wrote to memory of 2132 840 ChainPortsurrogate.exe 131 PID 840 wrote to memory of 2132 840 ChainPortsurrogate.exe 131 PID 2132 wrote to memory of 336 2132 cmd.exe 133 PID 2132 wrote to memory of 336 2132 cmd.exe 133 PID 2132 wrote to memory of 1104 2132 cmd.exe 134 PID 2132 wrote to memory of 1104 2132 cmd.exe 134 PID 2132 wrote to memory of 3516 2132 cmd.exe 135 PID 2132 wrote to memory of 3516 2132 cmd.exe 135 PID 3516 wrote to memory of 1184 3516 ChainPortsurrogate.exe 136 PID 3516 wrote to memory of 1184 3516 ChainPortsurrogate.exe 136 PID 1184 wrote to memory of 4576 1184 cmd.exe 138 PID 1184 wrote to memory of 4576 1184 cmd.exe 138 PID 1184 wrote to memory of 1752 1184 cmd.exe 139 PID 1184 wrote to memory of 1752 1184 cmd.exe 139 PID 1184 wrote to memory of 2500 1184 cmd.exe 140 PID 1184 wrote to memory of 2500 1184 cmd.exe 140 PID 2500 wrote to memory of 5088 2500 ChainPortsurrogate.exe 141 PID 2500 wrote to memory of 5088 2500 ChainPortsurrogate.exe 141 PID 5088 wrote to memory of 1856 5088 cmd.exe 143 PID 5088 wrote to memory of 1856 5088 cmd.exe 143 PID 5088 wrote to memory of 1136 5088 cmd.exe 144 PID 5088 wrote to memory of 1136 5088 cmd.exe 144 PID 5088 wrote to memory of 1460 5088 cmd.exe 145 PID 5088 wrote to memory of 1460 5088 cmd.exe 145 PID 1460 wrote to memory of 4820 1460 ChainPortsurrogate.exe 146 PID 1460 wrote to memory of 4820 1460 ChainPortsurrogate.exe 146 PID 4820 wrote to memory of 4304 4820 cmd.exe 148 PID 4820 wrote to memory of 4304 4820 cmd.exe 148 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\595fab3363e5c90ecf3f7375a0b82d996c96b6a0307ad31e6d79dde07eeb8595.exe"C:\Users\Admin\AppData\Local\Temp\595fab3363e5c90ecf3f7375a0b82d996c96b6a0307ad31e6d79dde07eeb8595.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProviderserverruntimeperfSvc\4oe8qKx4BC4jNir9oLrOplwqP.vbe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProviderserverruntimeperfSvc\wnVkTofZircZrFhWJh5AKDNhgeSRpsYNieNXBbC85wZu.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"C:\ProviderserverruntimeperfSvc/ChainPortsurrogate.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fakg2ago\fakg2ago.cmdline"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EC5.tmp" "c:\Windows\System32\CSCF72B44DD612C48DC85141C1D8CCE4615.TMP"6⤵PID:4080
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s4lwCkAQ41.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:2548
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:3648
-
-
C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HnJb1ZSpW8.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:2384
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3052
-
-
C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1dc23k5BXS.bat"9⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:640
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2060
-
-
C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bnA1lkrrKq.bat"11⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:336
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1104
-
-
C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QtbRvp1Luy.bat"13⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4576
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1752
-
-
C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2rRAYV41jN.bat"15⤵
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\system32\chcp.comchcp 6500116⤵PID:1856
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵PID:1136
-
-
C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NkZfuSJvBK.bat"17⤵
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\system32\chcp.comchcp 6500118⤵PID:4304
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵PID:3176
-
-
C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4708 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5pDZHTGxN.bat"19⤵PID:3216
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:924
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵PID:2136
-
-
C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4368 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R7RZQa1C6t.bat"21⤵PID:1892
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:3376
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4976
-
-
C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4544 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p3fxByWxmm.bat"23⤵PID:1160
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2612
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5068
-
-
C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3700 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2rRAYV41jN.bat"25⤵PID:4864
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:2960
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵PID:2456
-
-
C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1060 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ub5pO60uUj.bat"27⤵PID:5072
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2940
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵PID:4964
-
-
C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4216 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nFOCGIGxkl.bat"29⤵PID:2364
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:4312
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵PID:3052
-
-
C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4740 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZXPLL9zJFP.bat"31⤵PID:4708
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:4464
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:524
-
-
C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1256 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gjUXinqH5W.bat"33⤵PID:3672
-
C:\Windows\system32\chcp.comchcp 6500134⤵PID:3092
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost34⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2660
-
-
C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe"34⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cq054WUQlS.bat"35⤵PID:2132
-
C:\Windows\system32\chcp.comchcp 6500136⤵PID:5044
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:236⤵PID:4388
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Pictures\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Pictures\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\ProviderserverruntimeperfSvc\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ProviderserverruntimeperfSvc\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\ProviderserverruntimeperfSvc\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ChainPortsurrogateC" /sc MINUTE /mo 7 /tr "'C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ChainPortsurrogate" /sc ONLOGON /tr "'C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ChainPortsurrogateC" /sc MINUTE /mo 13 /tr "'C:\ProviderserverruntimeperfSvc\ChainPortsurrogate.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
250B
MD5d8776d21a414703fcf32711bb7ecdfb4
SHA11c6820ca5097513a2be072a3b43eff1fc8403184
SHA256bb5a09775dcaeb1c3c4d3cdd4c207c96f1a153aa23fed7512367eca6a3a0c22d
SHA512ad33ca536cc149301ba111280388a9a6295ddd7c2be76fa3eefba8cab1f2727a4effc57b24adbf0be8f10c2d13872c215f9512dd470990541b39e2d2681595a9
-
Filesize
825KB
MD5ce09db6adeeca051ff01abd8cf2e400d
SHA114e60e202c180152757a89d13d9989ec35e1f5a2
SHA256ad372edd698062a90f4744da16f88cc5bb45ca9b1cb70fc7350673d293f2bc16
SHA512e80449cde93d19790e64c1fe24af1aeb00a3c392b4d57a529205a2339bbaa675b6ee21d2d068d65ef21c37d23d2f1b8b458706068ffe850410dc290c4d5c0ce3
-
Filesize
110B
MD59c91fe8e1765ddf30eda4052cbecbf48
SHA18acec401bdec034d55ead6804c69505c1d680e67
SHA2569420d7930ae9f2040d5b46bc120da24e920fccf6882e69b74269f71e75cc0718
SHA512e72ec080ae8fc66a5f712e3a525f0013d406b587523b3b6ff8dc80f12f12af183fc77b578293808f07e916a8b6f2252206b3c899200d0f70540cb70de467ea87
-
Filesize
1KB
MD523e95ec462ffa2c6ca8cab1cb8724ab1
SHA1ee3f5e815831cf925c4f00195cc8f336b6112862
SHA256c6ed38229b96cfb59e61de06854a1a99a9d6c3285a6b8511a7b60d64caa6979c
SHA512b92242ea8d3dbcd3de11725995c22f0a747b820cfff7cf44217589289621bdc2a25bb4db0e1f385bd6bc84c15d893fa5dad544e6bab89f072ccb822cd8bd08dd
-
Filesize
182B
MD51f763f9cedb8c47b98540071e717fbaf
SHA12130256ba484982034813ff69b1cd564ddb81113
SHA25608c8745ab7298aed804083c78298fd27b62df11b10e87fe20f25703e8303e0fd
SHA51260efc3214a8e2c2567098c622b2e5ae9cda9490527c9778b7d0a2ae38810fbc0490aee1daa0a57a84146774a43927aa032ef3abef265c0aed688838668929d96
-
Filesize
230B
MD520348dbad8b37d377590f4a866247473
SHA12096ff49854321c2a843e3af1ad1e009c7e485d8
SHA256ba4b091c7bb9b21115db3076272a17c2a97ce83ffda271597a6f7ce880f664df
SHA5121505817d2a100fa6cfdae472e7b4257a7ef9c0f8a28d23f9263413113912b0cbb85f1890135c58df52caaba942a1d611a24fcd0fc148ef78af54a3900adc0db3
-
Filesize
230B
MD5e325e0f4fa01a3b9b651d5e17e23704c
SHA11a250a377ef9511fd9b1d541c543d6f49b43daff
SHA256b33ef2276d55e33a9b6eaa2126310a95947d4bab280b8db04d43274ed2c2ca90
SHA512975d98ead8860bad2bcee39b9e9b77ad2144e28e327e9d6f3fb6b912d53820bb2f9ab5abe384844d54d3854c9d5d82bd4f3d001de40731220515c69db06f0921
-
Filesize
230B
MD5f71d960c9072ee12e7fa782eb05e09a1
SHA12bf35292383ccf57a97d6e744277d3e758fcfa09
SHA256d53db55a3de5946879500b99adac8a345d29be2c76c6b9e5cb481b20a10e72be
SHA51273e33362fc8d1a349a898ba8682ba7a36355b67aae3a3dc524d6a678c7c16aad72c3de8a4c465a0568ffa55a1e63793df56c2d1ffcec7f0ceef8620dadea4d5c
-
Filesize
182B
MD552d0f16ec836d0d119481402c9367a6d
SHA1d145dfbd31e2e2b2b90041900e74475f85818530
SHA2566e95a0659f5088bfc4a6514bcb19854b69f9e0f4674277d37365cdbbdc529b06
SHA5124f990df009af15e7d9f3c8537fa40081f287cc989fa5fbcc1b124a5082b18e4ca5a199b3c7d5d9dac5b7bd3a5ef3db4580d59e33a388e6d39fb2a49281fb3fa3
-
Filesize
230B
MD5d075b2f35e9a2bddaf9b50a771e5d749
SHA1b9c250386ec078a34468c754f23573fa7f525ca6
SHA2568d482ba15525032ed93631da6cacd497af653cc80550398966190c0b26fb2ab0
SHA51214e635ececca1c5bcf791ca65be80fa60762ca92624fdd08c8c674ac46fd41958ec987e76958fad5c672f0c251e34a2ae2aec269344e7010170c38efdc202ac8
-
Filesize
182B
MD57a377ee8c18b872d6969dd36d24f763d
SHA13b7ba02e3834fb5c7f70e3c8f49bcb4b66c7e51a
SHA256421496a947fc88803321e800d193cac43e7e0ef77648235ec38022ab47d8a8bc
SHA512d6fef10902761d22ca4f72db180b2dcc22f70a25dc626486cae5e900acc96b93d817712660e5c473813261feb11646e3939bf8c7a2d52db7ac9bded6421d1987
-
Filesize
182B
MD5b1af15fd341c5608ac5f9525db43ad41
SHA1931bf8e4142baba08e4f29aff49129bf9aa907a3
SHA256a65f577e786292a79e932029b6ad449915db5b11be7180cd52d9411b0dd4ac1f
SHA51256e2f674292720aee97afcc9ec60a960b2995edc21fed750c93c51ca76e890624ec133b82743facf1ff576f2d5b7302ccfcd2376c9b428b313020283512c6909
-
Filesize
1KB
MD56917da94fb9bfad5a4a4562b84fe753c
SHA1b381d70f866386f587bf3d17c7ec79d9c60f2cde
SHA25607eddac04471d6e54ad6d2cb3b2123ac24e8a33fc66b84a137df488a9a364ffa
SHA512548222f7952eddf4df0b1deb412353399f114a9201e50ffa0273e73b72fb491c12b674f067b31fa6d8cf25caa2b415fec789bd4203bf7db4514297c37ce696da
-
Filesize
230B
MD5082e5c3b5cd35071637c0a8e3009b4b9
SHA1db10d940602a96a130cd4e8e2ae348adbcec3d9a
SHA256c73471897efb53bff82ae4f39cfb89cb94610e182cf6d80a40e36ab53440cbd0
SHA512ae5a0f1013d5dc7288384d70ab8e88ced158e0899490d50e2ea518aebdde686892812b11bae76844a1aadbddc22f42a3a558807d7f03cbdbbaa10a477a446cba
-
Filesize
182B
MD5befd18c6a8d4c23f3a8985c041877474
SHA1b4ad09bb7e5ec6be3fb925765745ad24d9b2fca9
SHA256910682964b34af932a9b28fd5552b184841495816c119a0173faab023a79a3ef
SHA512dffe93012a72b6c26e63fba60820f17303473f07a8ec26de79f2515616d214da5b4663fad5393210aa170df3a1ac1008d137af0362ddab99d43155942bc95d39
-
Filesize
182B
MD5f553c3904c643fe41f390f7fcdb4cee1
SHA1a0de3d77d3f1e87b316108733421c61f1938df55
SHA2568ec71ef4757a13da2012bad558f2f9d66974b7e4162fd9541de0d3eef41a0daf
SHA512a7739c28fc23d9ba74b5c010fd8bf904713d905440700f95e166fb7b24879ce7628e709d0edc36098b37734e75ef382586a5a34c7cc70e53ef1aa3a4f68c7057
-
Filesize
182B
MD5217a35bf8606267fabb07202a7365021
SHA1f913818827974db8ba91281631bc900c7762e0e1
SHA2565a9617423cdb0324bff01012d9dcbb11a9c947567154622783a09a7904fdb50d
SHA512a78c0e6f40d89eac312a3f775a74a7fac7ae1d5455279cd6e61576883895e2f5752716afa62ce8cc771f11a049f4f45dd6346e73e826d88255ba86781015dbd4
-
Filesize
230B
MD5ff5583d22b3848895a859a8bdaab6c0d
SHA121543a1efa11ef237c40f671bcd62ad3ed7a39f4
SHA2560ce92ac5eaeeb7525b4913557b432784a9b935912d55173c5bd98d52945fd8ba
SHA5122b21bc90790a6d5079ddbae810209792944e5e799b854e8875d1c4601b65c3d2eb0f7877022a9189cc831bc93193b2275ecb466d2ac7112a903e1e5f208a309e
-
Filesize
182B
MD5ef69b1dcc37a96faf08ab8225f79244c
SHA1400826998f21a7f4ca2b6c3e1a2475210880a675
SHA25636237cfdc894280b763180ce5e985a088e4200c472d69774799971a4997e53c3
SHA512bdb2803dbddb1e5f604f3fbb479c0521eaf73c7e55427953420b8547fe289a00cb7c14af08637a030d023db0bcac749be7574abd0c32533d06b289ed0517a11f
-
Filesize
230B
MD59a54c381577a01ed6e06625b1ce3b880
SHA1bff229b43821068389f402cbcdfd1100b6995d97
SHA2560d3debcba639d27c08f6fe291844837ed2dec48724a2342303e8b46c3273dcef
SHA512b21514b0174f458d594d25e17b9060b16dde57ee9b31e1b582728f2c680f68d44c6012f56435d2fe01154baef00e592f361f01548a6d784075dc109fa29cc99b
-
Filesize
364B
MD5ef114aad95575b397a8918ce3649af8e
SHA157bda0dbed814728fd8de64045d53691879de907
SHA256e9eb040c65f0d7c714b0ded83e8cb620124d1ffae6e697a00e8a60376488c21e
SHA51272940017c971f3b2dc173ebba6c42d5a1a5657f04e10f7f8d41fb321ead70a503c5b0650fa6f568817e27522dfe21a618b0271ef8e30c995ddf4c402c140fe37
-
Filesize
235B
MD51287d8db8eb0b29c208f3c48704135d8
SHA13d5cc46a563ffeeb329fe6ef6e7bddbb0040005f
SHA256bde75f4c5fe63e51d588fec43ad2586cf386967f1c69f465030fdefaa670797d
SHA512bc5359e594955a992ea7c34f491df98bba5bc590c09315e20ce2f9e669bd4226294fd4a4668d2d4579b475e3aa201d71f9a9987ba33df2f78157b564d8566022
-
Filesize
1KB
MD55984679060d0fc54eba47cead995f65a
SHA1f72bbbba060ac80ac6abedc7b8679e8963f63ebf
SHA2564104fdf5499f0aa7dd161568257acae002620ec385f2ede2072d4f550ecff433
SHA512bc8aadfabe5dbb4e3ea5e07a5ccbddd363400005675acda3e9cb414dc75fb0ba74f41b4a6baf34d42f85a9ae0af7d2418420c78b0c643f7243fe93a49b8140b5