Malware Analysis Report

2024-11-30 20:05

Sample ID 240509-dprdwsab96
Target b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f
SHA256 b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f
Tags
zgrat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f

Threat Level: Known bad

The file b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f was found to be: Known bad.

Malicious Activity Summary

zgrat persistence rat

Modifies WinLogon for persistence

Process spawned unexpected child process

ZGRat

Detects executables packed with unregistered version of .NET Reactor

Detect ZGRat V1

Zgrat family

Detects executables packed with unregistered version of .NET Reactor

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 03:11

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables packed with unregistered version of .NET Reactor

Description Indicator Process Target
N/A N/A N/A N/A

Zgrat family

zgrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 03:11

Reported

2024-05-09 03:13

Platform

win7-20240508-en

Max time kernel

142s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\wininit.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\dtplugin\\winlogon.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\csrss.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\wininit.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\dtplugin\\winlogon.exe\", \"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\csrss.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\wininit.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\wininit.exe\", \"C:\\Program Files\\Java\\jre7\\bin\\dtplugin\\winlogon.exe\"" C:\ChainProvider\BridgeWin.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

ZGRat

rat zgrat

Detects executables packed with unregistered version of .NET Reactor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Java\\jre7\\bin\\dtplugin\\winlogon.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\wininit.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\v1.0\\Runtime\\x86\\wininit.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Java\\jre7\\bin\\dtplugin\\winlogon.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\csrss.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\8f60a382-0d98-11ef-817d-5aba25856535\\csrss.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\csrss.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Resources\\csrss.exe\"" C:\ChainProvider\BridgeWin.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSCEDB5FC9FC77B459ABBA87BD8A62AF982.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\bsgne1.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe C:\ChainProvider\BridgeWin.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe C:\ChainProvider\BridgeWin.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\wininit.exe C:\ChainProvider\BridgeWin.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\56085415360792 C:\ChainProvider\BridgeWin.exe N/A
File created C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe C:\ChainProvider\BridgeWin.exe N/A
File created C:\Program Files\Java\jre7\bin\dtplugin\cc11b995f2a76d C:\ChainProvider\BridgeWin.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\csrss.exe C:\ChainProvider\BridgeWin.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\886983d96e3d3e C:\ChainProvider\BridgeWin.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\6ccacd8608530f C:\ChainProvider\BridgeWin.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ChainProvider\BridgeWin.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe C:\Windows\SysWOW64\WScript.exe
PID 1920 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe C:\Windows\SysWOW64\WScript.exe
PID 1920 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe C:\Windows\SysWOW64\WScript.exe
PID 1920 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe C:\Windows\SysWOW64\WScript.exe
PID 1752 wrote to memory of 2704 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2704 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2704 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2704 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\ChainProvider\BridgeWin.exe
PID 2704 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\ChainProvider\BridgeWin.exe
PID 2704 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\ChainProvider\BridgeWin.exe
PID 2704 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\ChainProvider\BridgeWin.exe
PID 2688 wrote to memory of 2016 N/A C:\ChainProvider\BridgeWin.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2688 wrote to memory of 2016 N/A C:\ChainProvider\BridgeWin.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2688 wrote to memory of 2016 N/A C:\ChainProvider\BridgeWin.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2016 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2016 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2016 wrote to memory of 2380 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2688 wrote to memory of 484 N/A C:\ChainProvider\BridgeWin.exe C:\Windows\System32\cmd.exe
PID 2688 wrote to memory of 484 N/A C:\ChainProvider\BridgeWin.exe C:\Windows\System32\cmd.exe
PID 2688 wrote to memory of 484 N/A C:\ChainProvider\BridgeWin.exe C:\Windows\System32\cmd.exe
PID 484 wrote to memory of 952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 484 wrote to memory of 952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 484 wrote to memory of 952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 484 wrote to memory of 1652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 484 wrote to memory of 1652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 484 wrote to memory of 1652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 484 wrote to memory of 600 N/A C:\Windows\System32\cmd.exe C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe
PID 484 wrote to memory of 600 N/A C:\Windows\System32\cmd.exe C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe
PID 484 wrote to memory of 600 N/A C:\Windows\System32\cmd.exe C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe
PID 600 wrote to memory of 2104 N/A C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe C:\Windows\System32\cmd.exe
PID 600 wrote to memory of 2104 N/A C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe C:\Windows\System32\cmd.exe
PID 600 wrote to memory of 2104 N/A C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe C:\Windows\System32\cmd.exe
PID 2104 wrote to memory of 572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2104 wrote to memory of 572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2104 wrote to memory of 572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2104 wrote to memory of 2132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2104 wrote to memory of 2132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2104 wrote to memory of 2132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2104 wrote to memory of 1704 N/A C:\Windows\System32\cmd.exe C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe
PID 2104 wrote to memory of 1704 N/A C:\Windows\System32\cmd.exe C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe
PID 2104 wrote to memory of 1704 N/A C:\Windows\System32\cmd.exe C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe
PID 1704 wrote to memory of 608 N/A C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe C:\Windows\System32\cmd.exe
PID 1704 wrote to memory of 608 N/A C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe C:\Windows\System32\cmd.exe
PID 1704 wrote to memory of 608 N/A C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe C:\Windows\System32\cmd.exe
PID 608 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 608 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 608 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 608 wrote to memory of 1636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 608 wrote to memory of 1636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 608 wrote to memory of 1636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 608 wrote to memory of 2620 N/A C:\Windows\System32\cmd.exe C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe
PID 608 wrote to memory of 2620 N/A C:\Windows\System32\cmd.exe C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe
PID 608 wrote to memory of 2620 N/A C:\Windows\System32\cmd.exe C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe
PID 2620 wrote to memory of 1816 N/A C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe C:\Windows\System32\cmd.exe
PID 2620 wrote to memory of 1816 N/A C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe C:\Windows\System32\cmd.exe
PID 2620 wrote to memory of 1816 N/A C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe C:\Windows\System32\cmd.exe
PID 1816 wrote to memory of 1900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1816 wrote to memory of 1900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1816 wrote to memory of 1900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1816 wrote to memory of 2136 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1816 wrote to memory of 2136 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1816 wrote to memory of 2136 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1816 wrote to memory of 1536 N/A C:\Windows\System32\cmd.exe C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe

"C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ChainProvider\jpxBqgIRsq2SLG1PgyDmjdYOwbC.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\ChainProvider\Ue6DPbuBmrgvvM.bat" "

C:\ChainProvider\BridgeWin.exe

"C:\ChainProvider/BridgeWin.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wecdgk2q\wecdgk2q.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59D3.tmp" "c:\Windows\System32\CSCEDB5FC9FC77B459ABBA87BD8A62AF982.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3gjbg6SrjC.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe

"C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7vUbsmDZqq.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe

"C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tLBDHjzlZn.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe

"C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6UZvaQo7Ba.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe

"C:\Program Files\Java\jre7\bin\dtplugin\winlogon.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L3SaAS0x6v.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
RU 89.23.96.63:80 tcp
RU 89.23.96.63:80 tcp
RU 89.23.96.63:80 tcp
RU 89.23.96.63:80 tcp

Files

C:\ChainProvider\jpxBqgIRsq2SLG1PgyDmjdYOwbC.vbe

MD5 55e5be814935518dd671f62280d31bf7
SHA1 5b2fe2c2bc5b928a1225cf5b01c05dba98384812
SHA256 4e6b3324992136821adcecafa68aa60e1ec41664737ed1a75e96de82c3abd979
SHA512 873f644b249cebdf2a666e30eb1c06b8e276a5311d72f7c17af7fdad5ff767577c1a1cc2b9d9d84bfee28898e179356aa334aa29596a57549770f737c3d555b0

C:\ChainProvider\Ue6DPbuBmrgvvM.bat

MD5 6c93675d5528de536918490f2a030831
SHA1 ea764eee1b3bde0450319ef30b2433a9a46d4186
SHA256 0fef681907e2cf1e93b3ed1f68439901833d5ada3c70aa374e024560bfc86d64
SHA512 c935abd4d5390841784dee4edb8941b26a7fb5091b6d38e329959e70626fa19bb600d957456f079a95ab6ff2ba2f5059ae4ecfebe360d18aaf1ad61edccd6679

C:\ChainProvider\BridgeWin.exe

MD5 08efce1648b0191ab668a92693f404d2
SHA1 8e0e2293ac8a05c4ead1db9f35131814af0f0838
SHA256 4a9ccd37881052fa211713f88560e534684dc38bf54869b89e044f1606924191
SHA512 86a7f9f8dd555408de32ebbc43825da2d01bdf1504d0ccd7d087195586f0276726444c11b1e6cc5c4c2bb7aaf3e7ec1ccd885ded7168b2f800c42aa012169186

memory/2688-13-0x0000000000D90000-0x00000000010DA000-memory.dmp

memory/2688-15-0x0000000000170000-0x000000000017E000-memory.dmp

memory/2688-17-0x0000000000180000-0x000000000019C000-memory.dmp

memory/2688-19-0x00000000003B0000-0x00000000003C8000-memory.dmp

memory/2688-21-0x00000000001A0000-0x00000000001B0000-memory.dmp

memory/2688-23-0x00000000003D0000-0x00000000003E0000-memory.dmp

memory/2688-25-0x00000000003E0000-0x00000000003EE000-memory.dmp

memory/2688-27-0x00000000003F0000-0x00000000003FE000-memory.dmp

memory/2688-29-0x0000000000410000-0x000000000041E000-memory.dmp

memory/2688-31-0x00000000005D0000-0x00000000005E2000-memory.dmp

memory/2688-33-0x0000000000420000-0x0000000000430000-memory.dmp

memory/2688-35-0x00000000005F0000-0x0000000000606000-memory.dmp

memory/2688-37-0x0000000000610000-0x0000000000622000-memory.dmp

memory/2688-39-0x0000000000430000-0x000000000043C000-memory.dmp

memory/2688-41-0x0000000000440000-0x0000000000450000-memory.dmp

memory/2688-43-0x0000000000630000-0x0000000000640000-memory.dmp

memory/2688-45-0x0000000000C40000-0x0000000000C9A000-memory.dmp

memory/2688-47-0x0000000000640000-0x0000000000650000-memory.dmp

memory/2688-49-0x0000000000650000-0x000000000065E000-memory.dmp

memory/2688-51-0x0000000000660000-0x000000000066C000-memory.dmp

memory/2688-53-0x00000000009F0000-0x0000000000A3E000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\wecdgk2q\wecdgk2q.cmdline

MD5 000685f8fdba1068a2d74ff18ad04024
SHA1 b3da3bd64e75e70019419efe0b70dc17c6396854
SHA256 751792f5da05ceb99cf0d19c18ed9440d6fc42ce30f3636f6e1392f6c32c54a4
SHA512 6a837a8701eec9ae5f42208915fcc93d7b92e406c0ebcd4d6a27686778eaf3a22b18719f8f87a5885e2342552ebb4b4ea1cb775a2db666d38640ef384b5c308d

\??\c:\Users\Admin\AppData\Local\Temp\wecdgk2q\wecdgk2q.0.cs

MD5 05c05e646bdc37c948a053bd3fd6c91a
SHA1 fe536465bae1847e6f5ff4460ddf5ceff6ae29f0
SHA256 9db53cd239fee24147c2994efe5e6528726e115f0fe3e4c3b141c51c0d91dc6b
SHA512 88712dd341414535f3928eabb8c8e0eab9764383578a9a80a5efe1983e0800a6d3f2dc4e769f299c5e29eaac6d3e05a53890d3fd23807ab18467cabada8517e5

\??\c:\Windows\System32\CSCEDB5FC9FC77B459ABBA87BD8A62AF982.TMP

MD5 dc62d02b56d310e294d158c225b91f50
SHA1 844e69b5ff0328e80441c54dbdff39d82c3263ba
SHA256 be8b5c97dc2eb2b7a62245da79d879ac20bb8e123c06b565f27e330bfe4fa0f8
SHA512 23e9004baf3f7dc17611fa3fa65e5c8dbd0c49cb43b831688eec9b938c28a3ca6029d737de77810271ac9f0779c27f62db123d2831aee13527d0a3088c39c209

C:\Users\Admin\AppData\Local\Temp\RES59D3.tmp

MD5 75a445e119178f427996f0fae9d52e35
SHA1 20ebbe97dea871e81114dd4e4d63868b20ec5cde
SHA256 4f857562993092c249f943d972c402971069c9b19fdb90b6952287039fb439a9
SHA512 7ee0bf147100682a60820dd8345a5f00b56e10f82c07c247950ff498cae08f4a94d04812a9a906281f332bcf8c94ce234d0463235dc77295b5268ac2ac5126b0

C:\Users\Admin\AppData\Local\Temp\3gjbg6SrjC.bat

MD5 7892eeadec314a82b0f45ce5b30fe4a0
SHA1 6ba1ac82b73d6775f07fbae26b2a03f12f26a32a
SHA256 7424d52ee356f1a12bf28d774670c9e689015513dcfd46c8c4c5436cde589b73
SHA512 8266671c5e92f9d9de45b5959495f32d8d4824416ea3032f2e7cd1dff3d79f84be879b7365950633ba51ab87c730e750f2feb032a4664a57b7dc39b83e5f9ecb

memory/600-83-0x0000000000360000-0x00000000006AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7vUbsmDZqq.bat

MD5 2243f87f2d0ed0491232578e913cc321
SHA1 01b7fa38d052c01fd439c03e8a37477f57e54322
SHA256 55791bd34a6625f880d09aabd4499945f5e28e37077a71a595d4989c98d3b232
SHA512 152abc04793e72382108c30a131057b00a5cbacdecc2eba4caf45818f8943e1e85a5a6b858df315857e133be15a24e0037efe9723b70675f2b56acdf48763249

memory/1704-110-0x00000000009B0000-0x0000000000CFA000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\tLBDHjzlZn.bat

MD5 fd02e30ba2f0c4df62ba55d4872e669c
SHA1 bbb1d95f50ed93d12a09d3b36dce8e8bbdaef412
SHA256 32f195505e3835260d78b82d39bfb1f504dc109cc4eaef03495edebb0dd74ac8
SHA512 baf20030ccb27151c4dda92ee6728d84acaa01f0c9abed28f3cb648b0d9465e4bcd1747d92c9fc5a58fc298e144109f224e6f596256cc40efab25c2c013cfe2b

memory/2620-138-0x00000000002F0000-0x000000000063A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6UZvaQo7Ba.bat

MD5 cf4195e782bc4413323733d3f95e7969
SHA1 2bb31f6d7c6dc493bf9b043bae12a00b395bb3e0
SHA256 de2946b5aa55831c7e68c161d3e99389fb2dabf3a740a7bf6454ef509fa5c221
SHA512 5563b97f5c3bfe5229f62b8a235d1572b0ea513cd2feaa8107af574e6ba0c21a771a30839dacd3ecea2a971b4a0b3aee5db687eb0800054e26350233d7ba8df5

memory/1536-165-0x0000000000A10000-0x0000000000D5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\L3SaAS0x6v.bat

MD5 b7051b4e80a227534529c9206df4dd45
SHA1 86535922177bd967b160be840cf5d490c54b82ff
SHA256 061be9cb196ff370e9fbd799484eaed80d7041ec389223e64d23168f331038dd
SHA512 7147f256c3cc98691e65071750597cf80bdaed4d7e2a7408171db4ba07d43665d17a50eee0c835a17909b3eca86c019983cf1cc01276fd1baaccf568abe013de

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 03:11

Reported

2024-05-09 03:13

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\StartMenuExperienceHost.exe\", \"C:\\Windows\\tracing\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\StartMenuExperienceHost.exe\", \"C:\\Windows\\tracing\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\StartMenuExperienceHost.exe\", \"C:\\Windows\\tracing\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\StartMenuExperienceHost.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\StartMenuExperienceHost.exe\", \"C:\\Windows\\tracing\\backgroundTaskHost.exe\"" C:\ChainProvider\BridgeWin.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

ZGRat

rat zgrat

Detects executables packed with unregistered version of .NET Reactor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SearchApp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\ChainProvider\BridgeWin.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\SearchApp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\StartMenuExperienceHost.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Common Files\\microsoft shared\\MSInfo\\StartMenuExperienceHost.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\tracing\\backgroundTaskHost.exe\"" C:\ChainProvider\BridgeWin.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\tracing\\backgroundTaskHost.exe\"" C:\ChainProvider\BridgeWin.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSCE1BE56B6646E460894DBFBFBA3F4D9A4.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\cwwwvr.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\MSInfo\55b276f4edf653 C:\ChainProvider\BridgeWin.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\StartMenuExperienceHost.exe C:\ChainProvider\BridgeWin.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\StartMenuExperienceHost.exe C:\ChainProvider\BridgeWin.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\tracing\backgroundTaskHost.exe C:\ChainProvider\BridgeWin.exe N/A
File created C:\Windows\tracing\eddb19405b7ce1 C:\ChainProvider\BridgeWin.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\ChainProvider\BridgeWin.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A
N/A N/A C:\ChainProvider\BridgeWin.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ChainProvider\BridgeWin.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\SearchApp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1060 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe C:\Windows\SysWOW64\WScript.exe
PID 1060 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe C:\Windows\SysWOW64\WScript.exe
PID 1060 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe C:\Windows\SysWOW64\WScript.exe
PID 4356 wrote to memory of 4516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 4516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4356 wrote to memory of 4516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\ChainProvider\BridgeWin.exe
PID 4516 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\ChainProvider\BridgeWin.exe
PID 4468 wrote to memory of 3644 N/A C:\ChainProvider\BridgeWin.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4468 wrote to memory of 3644 N/A C:\ChainProvider\BridgeWin.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 3644 wrote to memory of 4896 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 3644 wrote to memory of 4896 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4468 wrote to memory of 4196 N/A C:\ChainProvider\BridgeWin.exe C:\Windows\System32\cmd.exe
PID 4468 wrote to memory of 4196 N/A C:\ChainProvider\BridgeWin.exe C:\Windows\System32\cmd.exe
PID 4196 wrote to memory of 4552 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4196 wrote to memory of 4552 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4196 wrote to memory of 1848 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4196 wrote to memory of 1848 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4196 wrote to memory of 3464 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 4196 wrote to memory of 3464 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 3464 wrote to memory of 2248 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\cmd.exe
PID 3464 wrote to memory of 2248 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\cmd.exe
PID 2248 wrote to memory of 4324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2248 wrote to memory of 4324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2248 wrote to memory of 4488 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2248 wrote to memory of 4488 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2248 wrote to memory of 4332 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 2248 wrote to memory of 4332 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 4332 wrote to memory of 3608 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\cmd.exe
PID 4332 wrote to memory of 3608 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\cmd.exe
PID 3608 wrote to memory of 2408 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3608 wrote to memory of 2408 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3608 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3608 wrote to memory of 1680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3608 wrote to memory of 1800 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 3608 wrote to memory of 1800 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 1800 wrote to memory of 4612 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\cmd.exe
PID 1800 wrote to memory of 4612 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\cmd.exe
PID 4612 wrote to memory of 4608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4612 wrote to memory of 4608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4612 wrote to memory of 4624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4612 wrote to memory of 4624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4612 wrote to memory of 4852 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 4612 wrote to memory of 4852 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 4852 wrote to memory of 3112 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\cmd.exe
PID 4852 wrote to memory of 3112 N/A C:\Recovery\WindowsRE\SearchApp.exe C:\Windows\System32\cmd.exe
PID 3112 wrote to memory of 4244 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3112 wrote to memory of 4244 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3112 wrote to memory of 3752 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3112 wrote to memory of 3752 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3112 wrote to memory of 2724 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\SearchApp.exe
PID 3112 wrote to memory of 2724 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\SearchApp.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe

"C:\Users\Admin\AppData\Local\Temp\b86ca52b5137070fecf0f62413e67427bb325b68c67677085b4945394edb416f.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\ChainProvider\jpxBqgIRsq2SLG1PgyDmjdYOwbC.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ChainProvider\Ue6DPbuBmrgvvM.bat" "

C:\ChainProvider\BridgeWin.exe

"C:\ChainProvider/BridgeWin.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\at1jstg5\at1jstg5.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9683.tmp" "c:\Windows\System32\CSCE1BE56B6646E460894DBFBFBA3F4D9A4.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Windows\tracing\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\tracing\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Eo3NOVlJF1.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\SearchApp.exe

"C:\Recovery\WindowsRE\SearchApp.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cWXsH5vMZ0.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Recovery\WindowsRE\SearchApp.exe

"C:\Recovery\WindowsRE\SearchApp.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yo3Upowo0F.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\SearchApp.exe

"C:\Recovery\WindowsRE\SearchApp.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rnyMd9S9uS.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\SearchApp.exe

"C:\Recovery\WindowsRE\SearchApp.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KmR8xVOsrj.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Recovery\WindowsRE\SearchApp.exe

"C:\Recovery\WindowsRE\SearchApp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
RU 89.23.96.63:80 tcp
RU 89.23.96.63:80 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 89.23.96.63:80 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 89.23.96.63:80 tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

C:\ChainProvider\jpxBqgIRsq2SLG1PgyDmjdYOwbC.vbe

MD5 55e5be814935518dd671f62280d31bf7
SHA1 5b2fe2c2bc5b928a1225cf5b01c05dba98384812
SHA256 4e6b3324992136821adcecafa68aa60e1ec41664737ed1a75e96de82c3abd979
SHA512 873f644b249cebdf2a666e30eb1c06b8e276a5311d72f7c17af7fdad5ff767577c1a1cc2b9d9d84bfee28898e179356aa334aa29596a57549770f737c3d555b0

C:\ChainProvider\Ue6DPbuBmrgvvM.bat

MD5 6c93675d5528de536918490f2a030831
SHA1 ea764eee1b3bde0450319ef30b2433a9a46d4186
SHA256 0fef681907e2cf1e93b3ed1f68439901833d5ada3c70aa374e024560bfc86d64
SHA512 c935abd4d5390841784dee4edb8941b26a7fb5091b6d38e329959e70626fa19bb600d957456f079a95ab6ff2ba2f5059ae4ecfebe360d18aaf1ad61edccd6679

C:\ChainProvider\BridgeWin.exe

MD5 08efce1648b0191ab668a92693f404d2
SHA1 8e0e2293ac8a05c4ead1db9f35131814af0f0838
SHA256 4a9ccd37881052fa211713f88560e534684dc38bf54869b89e044f1606924191
SHA512 86a7f9f8dd555408de32ebbc43825da2d01bdf1504d0ccd7d087195586f0276726444c11b1e6cc5c4c2bb7aaf3e7ec1ccd885ded7168b2f800c42aa012169186

memory/4468-12-0x00007FFA4C1E3000-0x00007FFA4C1E5000-memory.dmp

memory/4468-13-0x00000000002C0000-0x000000000060A000-memory.dmp

memory/4468-15-0x00000000028F0000-0x00000000028FE000-memory.dmp

memory/4468-17-0x000000001B430000-0x000000001B44C000-memory.dmp

memory/4468-18-0x000000001B4B0000-0x000000001B500000-memory.dmp

memory/4468-20-0x000000001B460000-0x000000001B478000-memory.dmp

memory/4468-22-0x0000000002900000-0x0000000002910000-memory.dmp

memory/4468-24-0x0000000002910000-0x0000000002920000-memory.dmp

memory/4468-26-0x000000001B480000-0x000000001B48E000-memory.dmp

memory/4468-28-0x000000001B490000-0x000000001B49E000-memory.dmp

memory/4468-30-0x000000001B4A0000-0x000000001B4AE000-memory.dmp

memory/4468-32-0x000000001B520000-0x000000001B532000-memory.dmp

memory/4468-34-0x000000001B500000-0x000000001B510000-memory.dmp

memory/4468-36-0x000000001B560000-0x000000001B576000-memory.dmp

memory/4468-38-0x000000001B580000-0x000000001B592000-memory.dmp

memory/4468-39-0x000000001BAD0000-0x000000001BFF8000-memory.dmp

memory/4468-41-0x000000001B510000-0x000000001B51C000-memory.dmp

memory/4468-43-0x000000001B540000-0x000000001B550000-memory.dmp

memory/4468-45-0x000000001B550000-0x000000001B560000-memory.dmp

memory/4468-47-0x000000001B600000-0x000000001B65A000-memory.dmp

memory/4468-49-0x000000001B5A0000-0x000000001B5B0000-memory.dmp

memory/4468-51-0x000000001B5B0000-0x000000001B5BE000-memory.dmp

memory/4468-53-0x000000001B5C0000-0x000000001B5CC000-memory.dmp

memory/4468-55-0x000000001B6B0000-0x000000001B6FE000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\at1jstg5\at1jstg5.cmdline

MD5 41ca946115e083d1bbaa8ec7f735a54c
SHA1 7d55f295304852fa9d56efeeab68696ff3fa7c56
SHA256 ac8f6f1ab29e0becd6290804cb5b4035407c4faa76b5af9d099c45b9afd087a2
SHA512 d968eb63db4d6eed764651f248446c4b3768eb9bf5419a0682042d12a7832b4220df75946fa9fba929cd037300fcec2b039d3b5d939f41356a6cc8df5153b907

\??\c:\Users\Admin\AppData\Local\Temp\at1jstg5\at1jstg5.0.cs

MD5 d4772af6e6051ace5f3da6d83c146e35
SHA1 41d0cf6143fbc45e4881c60cc31abc0109708699
SHA256 ad988f857ca9a9b21858e1cccc20057da7f20255ccb838f0c25b604360e582a6
SHA512 86e163533490801eed57fd1bf1ff9630702521e4cd62d5918d187642e898fffa95a8a4632df1ecca716b5279806bbd74bcc0288c39ef3f3adeb5359d8048b4ec

\??\c:\Windows\System32\CSCE1BE56B6646E460894DBFBFBA3F4D9A4.TMP

MD5 913b41bbe173c6878eae5b8d8b62f5b7
SHA1 386047df3df2b03e486bc87c4b7a3fee5f68ad73
SHA256 24e424d4d217bc9b5e76e0867e2715aabb09d7e49ab1e716eefb40d718e4f135
SHA512 c71d73ccf422818dce69b867726b04c54b6418b99d67227e7dc328c3c3df86f0235630feb91494f8102540aa94fce68674707db991222ce4c79934c17b9c0cc9

C:\Users\Admin\AppData\Local\Temp\RES9683.tmp

MD5 44e26e37c8ba28a1b7c8845399a27864
SHA1 6917a460a2b4b8b608583e8c0f2dd3ae8657c7a0
SHA256 3ca24859b973762264e424bcbe1aea4028409c2ec7cc4648510e60434e315555
SHA512 f8859cd5334efa4329c8483d9643ea1d42542f55bc071b24d8ea8c0b8713e0806f843e3f22d4d947a3c8dc0e3da722c97451bbcda0771ece6edd8c2fce5e4f8e

memory/4468-83-0x000000001C300000-0x000000001C3A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Eo3NOVlJF1.bat

MD5 f667b066eabb183868ca758af6170304
SHA1 61d8a3ae29e454aa58fdee912502d68ad0cf122a
SHA256 c8ee9ded150f32ab7b26e26087e3eb33b2f5305b3c19e5baf8367b92b09f5d57
SHA512 5cc708870a3ebe51d27526c7d5aac597abb947644bb25ec0ddf4032b1cdfacde41b325db509f556b38e984ae2524f25ebf1b109373fd0229c7a4ac3261722b79

memory/3464-108-0x000000001B810000-0x000000001B8B9000-memory.dmp

memory/3464-109-0x000000001B400000-0x000000001B408000-memory.dmp

memory/3464-110-0x000000001D9F0000-0x000000001DAF2000-memory.dmp

memory/3464-120-0x000000001B400000-0x000000001B408000-memory.dmp

memory/3464-119-0x000000001B810000-0x000000001B8B9000-memory.dmp

memory/3464-121-0x000000001D9F0000-0x000000001DAF2000-memory.dmp

memory/3464-122-0x000000001C000000-0x000000001C16A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cWXsH5vMZ0.bat

MD5 d70854ccd59046c385bbc69b1ec544b8
SHA1 0da1cf3a0f47d64cceb59370fb89422efd0291a2
SHA256 78814a086c3d27e6cfa13c9e366609a906db4de05a731eb8878f9727170d71c9
SHA512 2d58d4628dc6511557f8ad69597f5e00fb0c0a3d4cf4332a2ea979b6dbf912510cb186cd20e7f0e64882be81d49ed0004316c8bf658cee779d1bc962a9dd02d0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

MD5 3c93e1d75c4f1682ef0f33b9c0759623
SHA1 b725fdf914847d4896aec8e97d7535bed90ed02a
SHA256 6905fbb07def20c266499860d66336405ee8a44de59fc7da1ef879ab4bc08b93
SHA512 31bbda359f7184f2b45fe4775b4c9b58a1720183964006557292fff8412d179379893816dc760a2b433bdbbb23c9fadaf9975a821734a891db7cbc34b410b5cf

memory/4332-146-0x000000001C3C0000-0x000000001C469000-memory.dmp

memory/4332-148-0x000000001CC10000-0x000000001CD12000-memory.dmp

memory/4332-147-0x000000001BFD0000-0x000000001BFD8000-memory.dmp

memory/4332-156-0x000000001C3C0000-0x000000001C469000-memory.dmp

memory/4332-157-0x000000001BFD0000-0x000000001BFD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Yo3Upowo0F.bat

MD5 191e030ebeee617fa59ae2442e44fd68
SHA1 2a4b8ef287b5609b340c1214d9040c997ec3f496
SHA256 b7005077197a9d35c53d2514d13a09a27812fcd38618f8569f8c30ce88885af3
SHA512 1252621bac2428430e5884ee390641ed0d448b90dc75afbdc0684e57a9772073277a3cca89a7ea4ed4829108d3281c01515ae350ac382a3f6161499b3708fe65

memory/4332-158-0x000000001CC10000-0x000000001CD12000-memory.dmp

memory/1800-182-0x000000001BF40000-0x000000001BF48000-memory.dmp

memory/1800-181-0x000000001C350000-0x000000001C3F9000-memory.dmp

memory/1800-190-0x000000001BF40000-0x000000001BF48000-memory.dmp

memory/1800-189-0x000000001C350000-0x000000001C3F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rnyMd9S9uS.bat

MD5 a0b2305dba96c6b90e9067f03a5a4de6
SHA1 434b66e8f9b6e9a75500b4fdb633fabd9f0c078b
SHA256 a3d3b22111fe5c05ef23088d78cf849dd92d2f18ff02845433b7eaee2e34e6b1
SHA512 cc012865f7cd9fac0f00efec44f5e634c0f157a640ba1e9158f4918bed657d52cc64d06690390fdaf400385365cc9858fc13cca708d3a1c4622e5741211f382a

memory/4852-214-0x000000001BFB0000-0x000000001BFB8000-memory.dmp

memory/4852-213-0x000000001C3C0000-0x000000001C469000-memory.dmp

memory/4852-222-0x000000001BFB0000-0x000000001BFB8000-memory.dmp

memory/4852-221-0x000000001C3C0000-0x000000001C469000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KmR8xVOsrj.bat

MD5 5aa3b1838b5fd938355b6513b44f6de2
SHA1 0f09dacf583120661fff7d20ae5fff91e336ce13
SHA256 7b54418f7480210b3a6c82f6e7bddc2651c628e8ffbfeaca3c4f2497e791747d
SHA512 ad3fd9c9f02ef8376f4188c31590191212ebac5df7655029e6bfbc09d6e38644060c1adb000dda8f805e1fd3988dae45599cbf1cf3ffcb44d6702ec09a4f09bf