Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 14:14
Static task
static1
Behavioral task
behavioral1
Sample
57ec49d438753f3bdfec6a616258b370_NeikiAnalytics.exe
Resource
win7-20240508-en
General
-
Target
57ec49d438753f3bdfec6a616258b370_NeikiAnalytics.exe
-
Size
8.7MB
-
MD5
57ec49d438753f3bdfec6a616258b370
-
SHA1
a34f757f5f2bd4763f04206c0d0cd32ab4491117
-
SHA256
872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638
-
SHA512
88bdae1b6a45efa83c4a9ff28a4549c33db28ba2bb1d1911d028090e9dc3831ef57f6577388844a4cfccc60dbca70315a7f9d7311f6638bcf00da97110e1c64a
-
SSDEEP
196608:ITAJDpNk+Rl4/Xi/yRvyCyKuhBfldGdrmVLaY1rHgu:oAlzJ7yRvyCx+xpgu
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral2/files/0x0006000000022970-31.dat family_zgrat_v1 behavioral2/files/0x00080000000233ff-47.dat family_zgrat_v1 behavioral2/memory/4556-49-0x00000000001E0000-0x000000000056E000-memory.dmp family_zgrat_v1 -
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Webnet\\services.exe\", \"C:\\Recovery\\WindowsRE\\portmonitor.exe\", \"C:\\Users\\Default\\SendTo\\smss.exe\", \"C:\\Webnet\\portmonitor.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Idle.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Webnet\\services.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Webnet\\services.exe\", \"C:\\Recovery\\WindowsRE\\portmonitor.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Webnet\\services.exe\", \"C:\\Recovery\\WindowsRE\\portmonitor.exe\", \"C:\\Users\\Default\\SendTo\\smss.exe\"" portmonitor.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3636 4416 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4000 4416 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1744 4416 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 4416 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4156 4416 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2424 4416 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 4416 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 4416 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1096 4416 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 4416 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 4416 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2936 4416 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4524 4416 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3648 4416 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4728 4416 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4380 4416 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4168 4416 schtasks.exe 94 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 4416 schtasks.exe 94 -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation portmonitor.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 57ec49d438753f3bdfec6a616258b370_NeikiAnalytics.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation leetcrack.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation portmonitor.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 6 IoCs
pid Process 2916 Nursultan 1.16.5 Crack.exe 4336 leetcrack.exe 1032 3b73a6fa2092a350d795.exe 936 portmonitor.exe 4556 portmonitor.exe 4464 explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x00080000000233fb-22.dat upx behavioral2/memory/1032-35-0x00007FF7BBD20000-0x00007FF7BC94A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\"" portmonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\portmonitor = "\"C:\\Recovery\\WindowsRE\\portmonitor.exe\"" portmonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default\\SendTo\\smss.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default\\SendTo\\smss.exe\"" portmonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\portmonitor = "\"C:\\Webnet\\portmonitor.exe\"" portmonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Common Files\\Idle.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Common Files\\Idle.exe\"" portmonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Webnet\\services.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Webnet\\services.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\portmonitor = "\"C:\\Recovery\\WindowsRE\\portmonitor.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\portmonitor = "\"C:\\Webnet\\portmonitor.exe\"" portmonitor.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\CSC56DC0060DE534FD4B15B31062D3D8C8.TMP csc.exe File created \??\c:\Windows\System32\g0jyy6.exe csc.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\Idle.exe portmonitor.exe File created C:\Program Files\Common Files\6ccacd8608530f portmonitor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1744 schtasks.exe 4380 schtasks.exe 4168 schtasks.exe 2756 schtasks.exe 2936 schtasks.exe 4524 schtasks.exe 2792 schtasks.exe 4000 schtasks.exe 2424 schtasks.exe 1096 schtasks.exe 3648 schtasks.exe 4728 schtasks.exe 4388 schtasks.exe 4156 schtasks.exe 4944 schtasks.exe 3636 schtasks.exe 1452 schtasks.exe 4660 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings portmonitor.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe 4556 portmonitor.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4464 explorer.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4556 portmonitor.exe Token: SeDebugPrivilege 4464 explorer.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 4816 wrote to memory of 2916 4816 57ec49d438753f3bdfec6a616258b370_NeikiAnalytics.exe 82 PID 4816 wrote to memory of 2916 4816 57ec49d438753f3bdfec6a616258b370_NeikiAnalytics.exe 82 PID 4816 wrote to memory of 2916 4816 57ec49d438753f3bdfec6a616258b370_NeikiAnalytics.exe 82 PID 4816 wrote to memory of 4336 4816 57ec49d438753f3bdfec6a616258b370_NeikiAnalytics.exe 84 PID 4816 wrote to memory of 4336 4816 57ec49d438753f3bdfec6a616258b370_NeikiAnalytics.exe 84 PID 4816 wrote to memory of 4336 4816 57ec49d438753f3bdfec6a616258b370_NeikiAnalytics.exe 84 PID 4336 wrote to memory of 1032 4336 leetcrack.exe 86 PID 4336 wrote to memory of 1032 4336 leetcrack.exe 86 PID 4336 wrote to memory of 936 4336 leetcrack.exe 87 PID 4336 wrote to memory of 936 4336 leetcrack.exe 87 PID 4336 wrote to memory of 936 4336 leetcrack.exe 87 PID 936 wrote to memory of 3972 936 portmonitor.exe 89 PID 936 wrote to memory of 3972 936 portmonitor.exe 89 PID 936 wrote to memory of 3972 936 portmonitor.exe 89 PID 3972 wrote to memory of 4732 3972 WScript.exe 91 PID 3972 wrote to memory of 4732 3972 WScript.exe 91 PID 3972 wrote to memory of 4732 3972 WScript.exe 91 PID 4732 wrote to memory of 4556 4732 cmd.exe 93 PID 4732 wrote to memory of 4556 4732 cmd.exe 93 PID 4556 wrote to memory of 2748 4556 portmonitor.exe 98 PID 4556 wrote to memory of 2748 4556 portmonitor.exe 98 PID 2748 wrote to memory of 3184 2748 csc.exe 100 PID 2748 wrote to memory of 3184 2748 csc.exe 100 PID 4556 wrote to memory of 4012 4556 portmonitor.exe 116 PID 4556 wrote to memory of 4012 4556 portmonitor.exe 116 PID 4012 wrote to memory of 3952 4012 cmd.exe 118 PID 4012 wrote to memory of 3952 4012 cmd.exe 118 PID 4012 wrote to memory of 1684 4012 cmd.exe 119 PID 4012 wrote to memory of 1684 4012 cmd.exe 119 PID 4012 wrote to memory of 4464 4012 cmd.exe 120 PID 4012 wrote to memory of 4464 4012 cmd.exe 120 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\57ec49d438753f3bdfec6a616258b370_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\57ec49d438753f3bdfec6a616258b370_NeikiAnalytics.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"2⤵
- Executes dropped EXE
PID:2916
-
-
C:\Users\Admin\AppData\Local\Temp\leetcrack.exe"C:\Users\Admin\AppData\Local\Temp\leetcrack.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Users\Admin\AppData\Local\Temp\3b73a6fa2092a350d795.exe"C:\Users\Admin\AppData\Local\Temp\3b73a6fa2092a350d795.exe"3⤵
- Executes dropped EXE
PID:1032
-
-
C:\Users\Admin\AppData\Local\Temp\portmonitor.exe"C:\Users\Admin\AppData\Local\Temp\portmonitor.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Webnet\xEX0MYAV03ULsqYY87UbhI7XqesjrcJfyK7h.vbe"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Webnet\x9qTsv13UFeYw.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Webnet\portmonitor.exe"C:\Webnet/portmonitor.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\trcuwpu1\trcuwpu1.cmdline"7⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9EE0.tmp" "c:\Windows\System32\CSC56DC0060DE534FD4B15B31062D3D8C8.TMP"8⤵PID:3184
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HOiE1HiitJ.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:3952
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1684
-
-
C:\Recovery\WindowsRE\explorer.exe"C:\Recovery\WindowsRE\explorer.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Common Files\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Webnet\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Webnet\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Webnet\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "portmonitorp" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\portmonitor.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "portmonitor" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\portmonitor.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "portmonitorp" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\portmonitor.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SendTo\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\SendTo\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default\SendTo\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "portmonitorp" /sc MINUTE /mo 13 /tr "'C:\Webnet\portmonitor.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "portmonitor" /sc ONLOGON /tr "'C:\Webnet\portmonitor.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "portmonitorp" /sc MINUTE /mo 8 /tr "'C:\Webnet\portmonitor.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.2MB
MD5b86bbb42b26e72a601087f68cda89208
SHA1baca49e35da3b83cd56ba579d61f98e9b137debe
SHA256320eff01b2a5b520853cd9b0c7486b3d9992dce2f9308f267069a60f88f8deb0
SHA512e98dfeb55d6053d6e2ec323f4665b4ea8cdb5bae0807ac70ac5dbb6cf7f3e8e1ba6a2ad099f8232b0e0ca9a738a9baf7d132957fb5d503c78283b229e35ed974
-
Filesize
210B
MD54d619ab5b5aa4b0ee2de15ab5152b668
SHA16208f09053b4680450c809c6141a22c9eb7bef5d
SHA256fc3a72d8e3e2eae10389f94752e203834b47ca66deab46de88a8ba3a9730e818
SHA5121370b290293642c4e45cd6342fd8561c916110070203d9477cf2171a8804889cb12f4a5526a69cbe41cc4a7998e48bf924172229958ffe0fe61a183a92141d2a
-
Filesize
8KB
MD5068a3a015a2821ab745a03dbae612233
SHA191c358a556d51466918c76c01ead079a484ce35a
SHA256d87f2189c12aa65a1bd52c1a39d1f14d58753dd76d291eebba32d5a0dde74d67
SHA512d18d483af543ac72a204b076f897fe62284a0479fdb5a407ef69d51588ccc9589465d94f5a4dce6fc3d36ce6667a42d6513e4a05ce2fde7b0794e1745aa0bb9e
-
Filesize
1KB
MD536b04e7271580900164e7df46f48f2b9
SHA1341e7455edb24a31fb78334bdadd3ab50ea90183
SHA256ac4c4c4b775fd56046330c06d5b3715053a69f0496dd567493725de4212ddc73
SHA512fb67cd4d9c6a9eb3da9d284869c287a2a4111699f8e8b55507bd68abc8a1c8af9d674a577a07feae0c389bba8bc67adeae4ab884e0ced4a6939d9d952c2e3b30
-
Filesize
8.7MB
MD593144ffd83e528ff8651605be2d2c1a4
SHA16c661ce690ecd3ecd21c8953e410543fcf8a69ad
SHA2564ded33a5b292e88739e50c25c4db2ec8a4b444b21431f3daba87a2573965bd60
SHA5125236edcac0e56126c0f83eccc930a96548788694e1505ee0f74e77ed41582b1c92573de2fef0bf1e69fa3e9bc355f45f4671a67da66612e1a24b8eb849ea668c
-
Filesize
3.8MB
MD53d686dda8f890bef092779bc682dec10
SHA12e6f12de7a5d4febe798a63b2f8914458741bf7f
SHA256af9b7828f0661720eeaac5931f160f7db17dbf6c1ddcd7020a0c06a4deb2b7d4
SHA512cb32222a74d01de5c99e5096e1e00f86ab54af0db9e6b560b5952de2ab1c654ebde7331e80302dedb387acc7ad7c98eae3748cf3bf2bb78c1d0a5088db881f58
-
Filesize
3.5MB
MD5aa6c98cd853bf585a410394fd10817dc
SHA1ceab1865997ae2c6e070a9c6adf6b129cf2ad383
SHA256fc45eebea5ae88160a2ac49fe7e027baeee028c4f4b021794726a04ecea8c90b
SHA5122ada05425dce38fd9fe48c9ceb6a21c59c5e7088274c4445dfde054974f14f8feba5012909c5a75d7932a6bcbb488e38d34d9c970cd61c636ee13abc59e06562
-
Filesize
84B
MD55bcb417bd38f4db1936b88b262c0f7ad
SHA1d724fa06c67a7740497576d08b2c9b5b77c7eca4
SHA256f4374316bbc474ade932922a7ae28b6ded46b26a39ec4f3d1042b342a9bb9f07
SHA5129706324f2d9ad3e617987927e63a8a1372c18139a465c17ad5ff8a45d21c09b17571f1de7ae98714310d4a7e0a6f8e40d9148c87c93324c9eacd99f0ab2a2e6c
-
Filesize
209B
MD51fefc5b72cd89c9f83dcf8a47b254f58
SHA1909c965e493baab2203bac16be714cfb88a75f0d
SHA2567f03a5563b7186e6c6efa09392c843783b9a3375bcfbe29e4b9c8fc6f3032c3c
SHA5125bada5c497c306276c348569995cb254b3e6dcf2a8c10e48eadded26b69e7d5690503b8d9610f46b91a28effbe4be8d7345938d8c59d9f5343186f4d60e526ca
-
Filesize
370B
MD58c5b1616a62830a03d0ccbf5e0b6a830
SHA15680ed78fbd5f01851c5cb0f9d388a64af31fcd0
SHA2563542eed68e8757e5788695c298f37ef0ab5d2d68a189db9be656b324984ae323
SHA512dec357c297b82313f095c6869a84cf070a2d7b3b6add909d39a5ebd977beb0d7bd8a6fd534f50f75f5613b2d96c4702a10aca0590f2f4015efc61a6f545f3d05
-
Filesize
235B
MD57ced408a5908343e1541aef6d0fd3edc
SHA17c88a91478d6f3fccb48b3cd693578ba4f6f1fdb
SHA25609b63d5c3206af5570c0dc8fc1918096ef53dcb6a3087e13cdd1dd3b2d5bf0df
SHA5120dad6e6974f0fecf63f9fd9838983153f113ca477ea4af991d80d439b01e5bc34d981a7de138c548cf306528de6e183a75163bff3aca49f5c011042286bd9ef2
-
Filesize
1KB
MD5ee02e61712b278a663aabf6c9cd9c14a
SHA1ce82ed14abd6953b216a9939320a70329212905d
SHA25665299c0a98dc9afed5cc30f0ba894c76e44aff475873108c6a4d29ce08e94888
SHA512b8fb886ed346b5eef8136094cb5627194f7ab552e5c62d5d76de05b69ec1bc3379d28695b2733e2c250a65d066c60000a3f538d0b681d7be44e2ce5e3d34a7a4