Malware Analysis Report

2024-11-30 20:05

Sample ID 240509-khbs7ahc6s
Target f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
SHA256 f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c
Tags
zgrat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c

Threat Level: Known bad

The file f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe was found to be: Known bad.

Malicious Activity Summary

zgrat rat

Zgrat family

Detect ZGRat V1

ZGRat

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 08:35

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Zgrat family

zgrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 08:35

Reported

2024-05-09 08:38

Platform

win7-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 2432 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 2432 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 2668 wrote to memory of 2532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2668 wrote to memory of 2532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2668 wrote to memory of 2532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2668 wrote to memory of 2836 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2668 wrote to memory of 2836 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2668 wrote to memory of 2836 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2668 wrote to memory of 2556 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 2668 wrote to memory of 2556 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 2668 wrote to memory of 2556 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 2556 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 2556 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 2556 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 796 wrote to memory of 1968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 796 wrote to memory of 1968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 796 wrote to memory of 1968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 796 wrote to memory of 1984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 796 wrote to memory of 1984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 796 wrote to memory of 1984 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 796 wrote to memory of 1668 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 796 wrote to memory of 1668 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 796 wrote to memory of 1668 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 1668 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 1668 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 1668 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 1212 wrote to memory of 2284 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1212 wrote to memory of 2284 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1212 wrote to memory of 2284 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1212 wrote to memory of 2296 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1212 wrote to memory of 2296 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1212 wrote to memory of 2296 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1212 wrote to memory of 2312 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 1212 wrote to memory of 2312 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 1212 wrote to memory of 2312 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 2312 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 2312 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 2312 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 684 wrote to memory of 2924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 684 wrote to memory of 2924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 684 wrote to memory of 2924 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 684 wrote to memory of 1732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 684 wrote to memory of 1732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 684 wrote to memory of 1732 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 684 wrote to memory of 2196 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 684 wrote to memory of 2196 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 684 wrote to memory of 2196 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 2196 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 2196 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 2196 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 2024 wrote to memory of 1044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2024 wrote to memory of 1044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2024 wrote to memory of 1044 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2024 wrote to memory of 916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2024 wrote to memory of 916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2024 wrote to memory of 916 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2024 wrote to memory of 1300 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 2024 wrote to memory of 1300 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 2024 wrote to memory of 1300 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe

"C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iWyGsAOhHU.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe

"C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nE1uIQLIWX.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe

"C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yhfppzmMH9.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe

"C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ip3Bhi35Fh.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe

"C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9NLp60UiOc.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe

"C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe"

Network

Country Destination Domain Proto
RU 77.221.157.108:80 tcp
RU 77.221.157.108:80 tcp
RU 77.221.157.108:80 tcp
RU 77.221.157.108:80 tcp
RU 77.221.157.108:80 tcp
RU 77.221.157.108:80 tcp

Files

memory/2432-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

memory/2432-1-0x0000000000350000-0x000000000052E000-memory.dmp

memory/2432-2-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

memory/2432-3-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

memory/2432-4-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

memory/2432-7-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

memory/2432-9-0x0000000000330000-0x000000000034C000-memory.dmp

memory/2432-6-0x0000000000300000-0x000000000030E000-memory.dmp

memory/2432-11-0x0000000000630000-0x0000000000648000-memory.dmp

memory/2432-13-0x0000000000310000-0x000000000031C000-memory.dmp

memory/2432-14-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

memory/2432-15-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

memory/2432-16-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

memory/2432-17-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

memory/2432-18-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

memory/2432-23-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iWyGsAOhHU.bat

MD5 00406f7be2e1781d8a595fc510c6bcb3
SHA1 4820824f0a1bd17433f0dbc67283832937a54d3a
SHA256 9f8a477b7cc602f359b21d1036bd52e1e9f808fb3c4285f3571d3f9b58e91e60
SHA512 2256cbbc3ee14f034ead7386e8e47f54234167904928ec808324f6a6030358046409e886f8c7bda13caa510483693358d2eafe198809a96bcdc5b82178c7c637

memory/2556-25-0x0000000000230000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nE1uIQLIWX.bat

MD5 50c2156aea310e2e521e9d07ceafd793
SHA1 0879d903907187ff1b45456349a0d2562e950f4c
SHA256 080fd87a6c0f683913ffa5794f479d84731cf382e21130109c1f07405077ee66
SHA512 7536f97c4c25d6aa1ef05709aff7105bd478f831a5216835ccc0fc39c273d1b2387228629ca3eaab33838d33fac3f7c753ea903c45c7ac05762d4a74f4883172

memory/1668-35-0x0000000000AE0000-0x0000000000CBE000-memory.dmp

\??\PIPE\lsarpc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\yhfppzmMH9.bat

MD5 354c459dd44085554a5ce556df786ec5
SHA1 83582006ee5a190e5145ee65add4dce71dcb7627
SHA256 311514063ce9f0cc2179f12ef3e20162738578918178256a9f6fcefbd611e2d2
SHA512 08e69685fd984b8df9837abe0cdb213fc4646f5b3aac4cd48c038c6f7cf1708b8ac4f81972374c3b97352217d7a25277b4c31a4dd4f10c871a55d5464fba24df

memory/2312-46-0x0000000001210000-0x00000000013EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ip3Bhi35Fh.bat

MD5 20fa1e5aa1298859938a3b2cb77ef5f4
SHA1 bbd8c5e669a48259bae538ac1bccf1fca7125dc6
SHA256 a574c18c82be544d31a7dd82617795247a6200408901cf86ca80d38344d40796
SHA512 963c9bd8c697718e33eb5f81de9df2f2c4c7d8ae85ad1f1f13a4bc83631cbde93090409eb4213508922264f3af028aeaa8df088642d12d80aa94250012ae0cf6

C:\Users\Admin\AppData\Local\Temp\9NLp60UiOc.bat

MD5 d5a2d2bba7766ed16bd0c4dbc7b393fd
SHA1 a0b8dfce818560ef1a1f3da2025c15ea795b3f15
SHA256 dc5b01a09005c4189c82a6e2bf13bb252f7f05f095febe3d67098edc61c96d11
SHA512 a4ef93db5d331cea4ca9581130941bae4d0621b2c2d0ba16fd274913ce1f44111973f0111365078fa88245dbd3f86d4a0dbd5d140e9987a52737907295fe8264

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 08:35

Reported

2024-05-09 08:38

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

ZGRat

rat zgrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3464 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 3464 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 3676 wrote to memory of 1404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3676 wrote to memory of 1404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 3676 wrote to memory of 4528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3676 wrote to memory of 4528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3676 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 3676 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 2332 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 2332 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 1416 wrote to memory of 1856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1416 wrote to memory of 1856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1416 wrote to memory of 5088 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1416 wrote to memory of 5088 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1416 wrote to memory of 1644 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 1416 wrote to memory of 1644 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 1644 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 1644 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 4804 wrote to memory of 3276 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4804 wrote to memory of 3276 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4804 wrote to memory of 2704 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4804 wrote to memory of 2704 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4804 wrote to memory of 628 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 4804 wrote to memory of 628 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 628 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 628 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 1400 wrote to memory of 1392 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1400 wrote to memory of 1392 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1400 wrote to memory of 4148 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1400 wrote to memory of 4148 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1400 wrote to memory of 2588 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 1400 wrote to memory of 2588 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 2588 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 2588 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe C:\Windows\System32\cmd.exe
PID 4628 wrote to memory of 1408 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4628 wrote to memory of 1408 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4628 wrote to memory of 4656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4628 wrote to memory of 4656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4628 wrote to memory of 612 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe
PID 4628 wrote to memory of 612 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe

"C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PTUnOlLS5m.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe

"C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tnXcb7QBZk.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe

"C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\htx2mBafAs.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe

"C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2m5X78pZbp.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe

"C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqD6e5Rlo4.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe

"C:\Users\Admin\AppData\Local\Temp\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe"

Network

Country Destination Domain Proto
RU 77.221.157.108:80 tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 77.221.157.108:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 77.221.157.108:80 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
RU 77.221.157.108:80 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 77.221.157.108:80 tcp
RU 77.221.157.108:80 tcp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/3464-1-0x0000000000AF0000-0x0000000000CCE000-memory.dmp

memory/3464-0-0x00007FF849A53000-0x00007FF849A55000-memory.dmp

memory/3464-2-0x00007FF849A50000-0x00007FF84A511000-memory.dmp

memory/3464-3-0x00007FF849A50000-0x00007FF84A511000-memory.dmp

memory/3464-4-0x00007FF849A50000-0x00007FF84A511000-memory.dmp

memory/3464-6-0x000000001B980000-0x000000001B98E000-memory.dmp

memory/3464-8-0x000000001BA10000-0x000000001BA2C000-memory.dmp

memory/3464-9-0x00007FF849A50000-0x00007FF84A511000-memory.dmp

memory/3464-10-0x000000001BA80000-0x000000001BAD0000-memory.dmp

memory/3464-14-0x000000001B9A0000-0x000000001B9AC000-memory.dmp

memory/3464-12-0x000000001BA30000-0x000000001BA48000-memory.dmp

memory/3464-15-0x00007FF849A50000-0x00007FF84A511000-memory.dmp

memory/3464-16-0x00007FF849A50000-0x00007FF84A511000-memory.dmp

memory/3464-17-0x00007FF849A50000-0x00007FF84A511000-memory.dmp

memory/3464-18-0x00007FF849A50000-0x00007FF84A511000-memory.dmp

memory/3464-19-0x00007FF849A50000-0x00007FF84A511000-memory.dmp

memory/3464-20-0x00007FF849A53000-0x00007FF849A55000-memory.dmp

memory/3464-26-0x00007FF849A50000-0x00007FF84A511000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PTUnOlLS5m.bat

MD5 a18b5fdf21adf6e00876f6da84e152af
SHA1 e3091c935a90446d63b4472c97c227e5ba050865
SHA256 90ac8eebd4c7a478697c2646ab66fa1b61ecb03fff81ec75cdb9963a28c59c8a
SHA512 e9e3ed28a878d73df1a614524f30af44f7c10b6971f8bdc85866fbc5ec1af2e326cec67a1372e7ca17a60c71fb1135b564108b5bac31af35e167a761801ac9e8

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f8a7cc2e3e5a8dbfaa11ddb2c1c3286eda1e906dd66c29adc5a9a6c5f7ceed9c.exe.log

MD5 f8b2fca3a50771154571c11f1c53887b
SHA1 2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f
SHA256 0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6
SHA512 b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

memory/2332-29-0x00007FF849CA3000-0x00007FF849CA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tnXcb7QBZk.bat

MD5 fc70fb5718b27845237a496167c6d934
SHA1 9d1dd294de0832032a1b7906f08c9793561e43a1
SHA256 cba7bcff6d3d4bdcdbd04ec531acf14375580bc21736a631593599d41ae8cfa4
SHA512 ef43f651ab91fca7f4099bd774f91fa5be719cb344a49d5f8324be28adcb9b985a75cfbf7512cc90bea90fa5b43b7210e120225dc7ca61d6b2c1c530e0aa7bef

C:\Users\Admin\AppData\Local\Temp\htx2mBafAs.bat

MD5 f8f1bc4320dd0040eb190d7a7f905061
SHA1 9e9212d6cc567c652e6721cedcf9da24d7fc7a10
SHA256 cc5976e9e96423378fc97548f92373b11f701e95ecfc7a8dc8f42b9a81e50b1e
SHA512 508ea7dee19fc36429753ed9c37bba7f57f11277cf5b290437962e599a71d9acc3c3a7db1044c892b88a467882adc55fbbf3ec87747ef81182a35b43776c122d

C:\Users\Admin\AppData\Local\Temp\2m5X78pZbp.bat

MD5 dffb4d58ac8e407232144ecef151ea0c
SHA1 993154bde29996e7ffdc2bbc1127e7e835caa714
SHA256 27b5a02df43435a621d67835bd76d011b7b260cc2c7b0afbcb59c6383a06e48f
SHA512 222a170e569963a59453fbc8255e14b3878d87a412a853cb0ed1e354c14510384218cc78585370af2d00a8e2bc1a2b82c70009c9a9d2fc81b188649f4bc63e9b

C:\Users\Admin\AppData\Local\Temp\oqD6e5Rlo4.bat

MD5 c163f406770f597377abd85aaed714cb
SHA1 4798a0bf4a3b3d94ee914558330504bf77946a86
SHA256 4be9f1d18533bbea73dc717a88ebd22c300e106c69a2e6194fdafefbf5a45bb8
SHA512 4c8ba387031ae8007b07f266f6e5be432304b5d7521fe090494c35c32d0fbc05eb9c0dc74a172b6127e83fdb077c203550cd2c415c8bee4c7635d74670faeafd