Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 09:02
Static task
static1
Behavioral task
behavioral1
Sample
872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe
Resource
win7-20240221-en
General
-
Target
872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe
-
Size
8.7MB
-
MD5
57ec49d438753f3bdfec6a616258b370
-
SHA1
a34f757f5f2bd4763f04206c0d0cd32ab4491117
-
SHA256
872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638
-
SHA512
88bdae1b6a45efa83c4a9ff28a4549c33db28ba2bb1d1911d028090e9dc3831ef57f6577388844a4cfccc60dbca70315a7f9d7311f6638bcf00da97110e1c64a
-
SSDEEP
196608:ITAJDpNk+Rl4/Xi/yRvyCyKuhBfldGdrmVLaY1rHgu:oAlzJ7yRvyCx+xpgu
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
resource yara_rule behavioral2/files/0x000800000002326a-31.dat family_zgrat_v1 behavioral2/files/0x000800000002326d-47.dat family_zgrat_v1 behavioral2/memory/4680-49-0x0000000000EA0000-0x000000000122E000-memory.dmp family_zgrat_v1 -
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Webnet\\SearchApp.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Webnet\\SearchApp.exe\", \"C:\\Users\\All Users\\ssh\\portmonitor.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Webnet\\SearchApp.exe\", \"C:\\Users\\All Users\\ssh\\portmonitor.exe\", \"C:\\Webnet\\Idle.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Webnet\\SearchApp.exe\", \"C:\\Users\\All Users\\ssh\\portmonitor.exe\", \"C:\\Webnet\\Idle.exe\", \"C:\\Program Files\\7-Zip\\Lang\\System.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Webnet\\SearchApp.exe\", \"C:\\Users\\All Users\\ssh\\portmonitor.exe\", \"C:\\Webnet\\Idle.exe\", \"C:\\Program Files\\7-Zip\\Lang\\System.exe\", \"C:\\Windows\\schemas\\Provisioning\\WmiPrvSE.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Webnet\\SearchApp.exe\", \"C:\\Users\\All Users\\ssh\\portmonitor.exe\", \"C:\\Webnet\\Idle.exe\", \"C:\\Program Files\\7-Zip\\Lang\\System.exe\", \"C:\\Windows\\schemas\\Provisioning\\WmiPrvSE.exe\", \"C:\\Webnet\\portmonitor.exe\"" portmonitor.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1516 5948 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3976 5948 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3900 5948 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3392 5948 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 5948 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5124 5948 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5360 5948 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6048 5948 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 5948 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3728 5948 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5164 5948 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 5948 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4092 5948 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 5948 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 528 5948 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2232 5948 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3128 5948 schtasks.exe 99 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 5948 schtasks.exe 99 -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation portmonitor.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation leetcrack.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation portmonitor.exe -
Executes dropped EXE 7 IoCs
pid Process 4540 Nursultan 1.16.5 Crack.exe 1956 leetcrack.exe 1080 3b73a6fa2092a350d795.exe 5016 portmonitor.exe 4680 portmonitor.exe 2296 SearchApp.exe 1452 msedge.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x0008000000023266-22.dat upx behavioral2/memory/1080-35-0x00007FF73A660000-0x00007FF73B28A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Webnet\\SearchApp.exe\"" portmonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Webnet\\Idle.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Webnet\\Idle.exe\"" portmonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\portmonitor = "\"C:\\Webnet\\portmonitor.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\schemas\\Provisioning\\WmiPrvSE.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\portmonitor = "\"C:\\Webnet\\portmonitor.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Webnet\\SearchApp.exe\"" portmonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\portmonitor = "\"C:\\Users\\All Users\\ssh\\portmonitor.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\portmonitor = "\"C:\\Users\\All Users\\ssh\\portmonitor.exe\"" portmonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\7-Zip\\Lang\\System.exe\"" portmonitor.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\7-Zip\\Lang\\System.exe\"" portmonitor.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\schemas\\Provisioning\\WmiPrvSE.exe\"" portmonitor.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created \??\c:\Windows\System32\_iyiwy.exe csc.exe File created \??\c:\Windows\System32\CSC9824FA945D1A4950A9E09A524E62DFA.TMP csc.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\7-Zip\Lang\System.exe portmonitor.exe File created C:\Program Files\7-Zip\Lang\27d1bcfc3c54e0 portmonitor.exe File created \??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC19D8DC4283B74AAC89C59649471FDEEA.TMP csc.exe File created \??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe csc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\schemas\Provisioning\WmiPrvSE.exe portmonitor.exe File opened for modification C:\Windows\schemas\Provisioning\WmiPrvSE.exe portmonitor.exe File created C:\Windows\schemas\Provisioning\24dbde2999530e portmonitor.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3976 schtasks.exe 820 schtasks.exe 5124 schtasks.exe 1436 schtasks.exe 4092 schtasks.exe 2232 schtasks.exe 3900 schtasks.exe 3392 schtasks.exe 6048 schtasks.exe 3728 schtasks.exe 5164 schtasks.exe 5360 schtasks.exe 864 schtasks.exe 1516 schtasks.exe 1704 schtasks.exe 748 schtasks.exe 528 schtasks.exe 3128 schtasks.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings portmonitor.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings portmonitor.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3944 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe 4680 portmonitor.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4680 portmonitor.exe Token: SeDebugPrivilege 2296 SearchApp.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 4620 wrote to memory of 4540 4620 872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe 91 PID 4620 wrote to memory of 4540 4620 872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe 91 PID 4620 wrote to memory of 4540 4620 872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe 91 PID 4620 wrote to memory of 1956 4620 872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe 92 PID 4620 wrote to memory of 1956 4620 872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe 92 PID 4620 wrote to memory of 1956 4620 872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe 92 PID 1956 wrote to memory of 1080 1956 leetcrack.exe 93 PID 1956 wrote to memory of 1080 1956 leetcrack.exe 93 PID 1956 wrote to memory of 5016 1956 leetcrack.exe 94 PID 1956 wrote to memory of 5016 1956 leetcrack.exe 94 PID 1956 wrote to memory of 5016 1956 leetcrack.exe 94 PID 5016 wrote to memory of 5768 5016 portmonitor.exe 95 PID 5016 wrote to memory of 5768 5016 portmonitor.exe 95 PID 5016 wrote to memory of 5768 5016 portmonitor.exe 95 PID 5768 wrote to memory of 3216 5768 WScript.exe 103 PID 5768 wrote to memory of 3216 5768 WScript.exe 103 PID 5768 wrote to memory of 3216 5768 WScript.exe 103 PID 3216 wrote to memory of 4680 3216 cmd.exe 105 PID 3216 wrote to memory of 4680 3216 cmd.exe 105 PID 4680 wrote to memory of 5184 4680 portmonitor.exe 110 PID 4680 wrote to memory of 5184 4680 portmonitor.exe 110 PID 5184 wrote to memory of 2328 5184 csc.exe 112 PID 5184 wrote to memory of 2328 5184 csc.exe 112 PID 4680 wrote to memory of 2776 4680 portmonitor.exe 113 PID 4680 wrote to memory of 2776 4680 portmonitor.exe 113 PID 2776 wrote to memory of 4788 2776 csc.exe 115 PID 2776 wrote to memory of 4788 2776 csc.exe 115 PID 4680 wrote to memory of 3040 4680 portmonitor.exe 131 PID 4680 wrote to memory of 3040 4680 portmonitor.exe 131 PID 3040 wrote to memory of 5100 3040 cmd.exe 133 PID 3040 wrote to memory of 5100 3040 cmd.exe 133 PID 3040 wrote to memory of 3944 3040 cmd.exe 134 PID 3040 wrote to memory of 3944 3040 cmd.exe 134 PID 3040 wrote to memory of 2296 3040 cmd.exe 135 PID 3040 wrote to memory of 2296 3040 cmd.exe 135 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe"C:\Users\Admin\AppData\Local\Temp\872a2f4decf76a5c8cf44a9b017a780847d8b3c50571433232e398ab0931c638.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 Crack.exe"2⤵
- Executes dropped EXE
PID:4540
-
-
C:\Users\Admin\AppData\Local\Temp\leetcrack.exe"C:\Users\Admin\AppData\Local\Temp\leetcrack.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Users\Admin\AppData\Local\Temp\3b73a6fa2092a350d795.exe"C:\Users\Admin\AppData\Local\Temp\3b73a6fa2092a350d795.exe"3⤵
- Executes dropped EXE
PID:1080
-
-
C:\Users\Admin\AppData\Local\Temp\portmonitor.exe"C:\Users\Admin\AppData\Local\Temp\portmonitor.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Webnet\xEX0MYAV03ULsqYY87UbhI7XqesjrcJfyK7h.vbe"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Webnet\x9qTsv13UFeYw.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Webnet\portmonitor.exe"C:\Webnet/portmonitor.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hofjtci1\hofjtci1.cmdline"7⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5184 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8354.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC19D8DC4283B74AAC89C59649471FDEEA.TMP"8⤵PID:2328
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\113dalzk\113dalzk.cmdline"7⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES845E.tmp" "c:\Windows\System32\CSC9824FA945D1A4950A9E09A524E62DFA.TMP"8⤵PID:4788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TbEbrizJLh.bat"7⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:5100
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
PID:3944
-
-
C:\Webnet\SearchApp.exe"C:\Webnet\SearchApp.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Webnet\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Webnet\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Webnet\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "portmonitorp" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\ssh\portmonitor.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3392
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "portmonitor" /sc ONLOGON /tr "'C:\Users\All Users\ssh\portmonitor.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "portmonitorp" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\ssh\portmonitor.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Webnet\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Webnet\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Webnet\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\schemas\Provisioning\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\schemas\Provisioning\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\schemas\Provisioning\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "portmonitorp" /sc MINUTE /mo 13 /tr "'C:\Webnet\portmonitor.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "portmonitor" /sc ONLOGON /tr "'C:\Webnet\portmonitor.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "portmonitorp" /sc MINUTE /mo 5 /tr "'C:\Webnet\portmonitor.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3100 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:81⤵
- Executes dropped EXE
PID:1452
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD577666d5b2a9d1709e3ff6b6e02609ff4
SHA1a9f433f3d7709c02d006a776b7bcd89062e589a1
SHA256320f05c3a244e24908bd99490b048fdd0d8744a201b2d653c9afc496b991a061
SHA5129fe92cf69f12bfeee0795abe4180efd7df20843987a34854bfbefcbbc0bb3961b6e932b634d5a9f73b811ae4cb128bff3f854c0e868a848fee3776dae33d1c21
-
Filesize
5.2MB
MD5b86bbb42b26e72a601087f68cda89208
SHA1baca49e35da3b83cd56ba579d61f98e9b137debe
SHA256320eff01b2a5b520853cd9b0c7486b3d9992dce2f9308f267069a60f88f8deb0
SHA512e98dfeb55d6053d6e2ec323f4665b4ea8cdb5bae0807ac70ac5dbb6cf7f3e8e1ba6a2ad099f8232b0e0ca9a738a9baf7d132957fb5d503c78283b229e35ed974
-
Filesize
8KB
MD5068a3a015a2821ab745a03dbae612233
SHA191c358a556d51466918c76c01ead079a484ce35a
SHA256d87f2189c12aa65a1bd52c1a39d1f14d58753dd76d291eebba32d5a0dde74d67
SHA512d18d483af543ac72a204b076f897fe62284a0479fdb5a407ef69d51588ccc9589465d94f5a4dce6fc3d36ce6667a42d6513e4a05ce2fde7b0794e1745aa0bb9e
-
Filesize
1KB
MD53f7f12a802ec221d7e553e871cd4a627
SHA120ebb3696b088892cc965a20daff36a8b6826aea
SHA25645a26e37cc9e4ef709622f3c64587b3c15668f2d5c4b7de5e155a6231d82293a
SHA512e26dcd59009655a0657463c9d618b8f0869f7c843dbd7707f90c01b1284d2e06a444d72031d8c845e22b3ff39aa45ff7e00c8f84f07a461b5fe6257ef1651b9a
-
Filesize
1KB
MD5a72f269178edd490635df246b7384a7d
SHA1a3a3ed78dfa3998714553f20cbec2db1f16d2e25
SHA256479ccfcb11241ed75a8f2704775c685a30e4c5d35a4d1a222d4314b22ef1f132
SHA5128fcedbfa0c8920df7d8dca7e33de083455cfd664299816f8806faeca991fa6e3a397056893b1b066ec5d11b05a2b4dc57caecbf3a866c66b773675f5e751a813
-
Filesize
151B
MD59379eb20f91c508bc6e0a3749f0f38ff
SHA18266e696956d8cffcf3cbdc732288fc95e1b68ac
SHA2566288d3b5e70b60024c3fdf26c97838988271183a9f2985d03f10d32e79f2922d
SHA512c7c10c95ed64cdbd76fd939033eb5eb19406535789ee787a863c206faba0a63c5d5c5e7935aba1727dc7166b197322b75823c440b7f43fc10cf7f65a859e4b58
-
Filesize
8.7MB
MD593144ffd83e528ff8651605be2d2c1a4
SHA16c661ce690ecd3ecd21c8953e410543fcf8a69ad
SHA2564ded33a5b292e88739e50c25c4db2ec8a4b444b21431f3daba87a2573965bd60
SHA5125236edcac0e56126c0f83eccc930a96548788694e1505ee0f74e77ed41582b1c92573de2fef0bf1e69fa3e9bc355f45f4671a67da66612e1a24b8eb849ea668c
-
Filesize
3.8MB
MD53d686dda8f890bef092779bc682dec10
SHA12e6f12de7a5d4febe798a63b2f8914458741bf7f
SHA256af9b7828f0661720eeaac5931f160f7db17dbf6c1ddcd7020a0c06a4deb2b7d4
SHA512cb32222a74d01de5c99e5096e1e00f86ab54af0db9e6b560b5952de2ab1c654ebde7331e80302dedb387acc7ad7c98eae3748cf3bf2bb78c1d0a5088db881f58
-
Filesize
3.5MB
MD5aa6c98cd853bf585a410394fd10817dc
SHA1ceab1865997ae2c6e070a9c6adf6b129cf2ad383
SHA256fc45eebea5ae88160a2ac49fe7e027baeee028c4f4b021794726a04ecea8c90b
SHA5122ada05425dce38fd9fe48c9ceb6a21c59c5e7088274c4445dfde054974f14f8feba5012909c5a75d7932a6bcbb488e38d34d9c970cd61c636ee13abc59e06562
-
Filesize
84B
MD55bcb417bd38f4db1936b88b262c0f7ad
SHA1d724fa06c67a7740497576d08b2c9b5b77c7eca4
SHA256f4374316bbc474ade932922a7ae28b6ded46b26a39ec4f3d1042b342a9bb9f07
SHA5129706324f2d9ad3e617987927e63a8a1372c18139a465c17ad5ff8a45d21c09b17571f1de7ae98714310d4a7e0a6f8e40d9148c87c93324c9eacd99f0ab2a2e6c
-
Filesize
209B
MD51fefc5b72cd89c9f83dcf8a47b254f58
SHA1909c965e493baab2203bac16be714cfb88a75f0d
SHA2567f03a5563b7186e6c6efa09392c843783b9a3375bcfbe29e4b9c8fc6f3032c3c
SHA5125bada5c497c306276c348569995cb254b3e6dcf2a8c10e48eadded26b69e7d5690503b8d9610f46b91a28effbe4be8d7345938d8c59d9f5343186f4d60e526ca
-
Filesize
1KB
MD5b5189fb271be514bec128e0d0809c04e
SHA15dd625d27ed30fca234ec097ad66f6c13a7edcbe
SHA256e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f
SHA512f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e
-
Filesize
355B
MD54a88c1a08f32f2f69886bd04f0bb3dce
SHA1183b2c1b3b799b4aa1883f3af8869d4d32d490ba
SHA2562e1b5a4db4030229b944a37208b2340528489afb590f411f4fabbe4b04ba713e
SHA5128bac6f60703a4feda0e0c6f4baf353675d4af8b923bc5bd51bb0fbf45765f85e994673a798cca12032c369b1424336d879eeece12e03c94d267fe8ef34ad71ce
-
Filesize
235B
MD56b14c97de41579855af6ad09b7eaca23
SHA1c0ab10a36fe1b4cae19283b48f53f293e578c35b
SHA256f3b0fa2219036728caf273d9b70a3a8442a02a6ee71c7fe2542e7d7c1d6c2dfb
SHA5122f4213130ceccff4176cab1a1b8184b5366345cea0b0138362321c8636b79fa334cfe7c5182deba9f74dc417a96d47195aeb1f6396d787d1c9f9d53d7525c5f3
-
Filesize
385B
MD54bcb37439a962a056c57a90ff996e5f0
SHA1b018f33cce9536612005626c705ba912a8fefaca
SHA2567b2ada0f67d3834cbbf3d36533719ece1ec21671f25da9192553d50abd2465a6
SHA5124421a51291898a6b3a22861e353a27fe26548c8f14121e131da39cb5f05600dacc5cae426f7261ce7affd3145724345d360b3b423acaacdfd371194c5ba9d135
-
Filesize
265B
MD5eb869701a0b74929ba0cecdf57c79858
SHA12f23bc845c93e23587c51e7d74e02b3723008edf
SHA2564852118935afc1c3ac3a9bd7bc2896b2698d558e6dee23b78604133fe651266f
SHA5122f64aac2488ab1d1b95c4cc53ed8defe72b0d428ab0e1e5c7324b2972c770eeeb14bc3d7a4a36369e73cc5a3181e997e8fa4797616b3318c0b16495aad6bd0fc
-
Filesize
1KB
MD5188249e3f31caa0264351fc374794895
SHA1323a707d1a37ac8cbae6d6e502cc850f69ae2e15
SHA2561bf68148c555d0e84720c497dcf3ad708da300ee7472df12c9307a3acd4abde1
SHA51228a0d97e83b6b6d10c0114166e8f23845663a34c8f262aa5a31ffb885abe232badb6f95bba99b8688559cac81f8ff93c3609ac363d8903d35f535d7c5e1e02d5