Malware Analysis Report

2024-11-13 13:46

Sample ID 240719-m1qq6sxdpk
Target SolaraBootstrapper.exe
SHA256 84f0cb45e1f9d6f73ff0033ecc509cf19648a546966e381f227d89bd2ab5882a
Tags
rat dcrat infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

84f0cb45e1f9d6f73ff0033ecc509cf19648a546966e381f227d89bd2ab5882a

Threat Level: Known bad

The file SolaraBootstrapper.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer spyware stealer

Dcrat family

Process spawned unexpected child process

DCRat payload

DcRat

DCRat payload

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-19 10:56

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 10:56

Reported

2024-07-19 10:58

Platform

win7-20240704-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
N/A N/A C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
N/A N/A C:\Windows\it-IT\csrss.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Internet Explorer\fr-FR\dllhost.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Program Files\Internet Explorer\fr-FR\5940a34987c991 C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Program Files\Windows Portable Devices\smss.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Program Files\Windows Portable Devices\69ddcba757bf72 C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\winlogon.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\cc11b995f2a76d C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Program Files\Internet Explorer\fr-FR\dllhost.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\it-IT\886983d96e3d3e C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Windows\it-IT\csrss.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\it-IT\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
Token: SeDebugPrivilege N/A C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\it-IT\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\SysWOW64\WScript.exe
PID 2112 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\SysWOW64\WScript.exe
PID 2112 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\SysWOW64\WScript.exe
PID 2112 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\SysWOW64\WScript.exe
PID 1896 wrote to memory of 2704 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 2704 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 2704 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 2704 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe
PID 2704 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe
PID 2704 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe
PID 2704 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe
PID 2804 wrote to memory of 1864 N/A C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe
PID 2804 wrote to memory of 1864 N/A C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe
PID 2804 wrote to memory of 1864 N/A C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe
PID 1864 wrote to memory of 2264 N/A C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe C:\Windows\it-IT\csrss.exe
PID 1864 wrote to memory of 2264 N/A C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe C:\Windows\it-IT\csrss.exe
PID 1864 wrote to memory of 2264 N/A C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe C:\Windows\it-IT\csrss.exe
PID 2264 wrote to memory of 2600 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 2600 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 2600 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 3036 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 3036 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 3036 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 3028 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 3028 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 3028 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2600 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2600 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2264 wrote to memory of 2140 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 2140 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 2140 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 3036 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 3036 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 3036 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 3028 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 3028 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 3028 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2264 wrote to memory of 1748 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 1748 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 1748 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 1872 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 1872 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 1872 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 2960 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 2960 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 2960 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 2488 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 2488 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 2488 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 2728 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 2728 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 2728 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 1748 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 1748 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 1748 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2140 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2140 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2140 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2264 wrote to memory of 812 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 812 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 2264 wrote to memory of 812 N/A C:\Windows\it-IT\csrss.exe C:\Windows\system32\cmd.exe
PID 1872 wrote to memory of 1656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\bridgeChainPortRuntimesvc\KYWZumt8BUk9utkyDTH3KdoPURzn.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\bridgeChainPortRuntimesvc\NzJd90omClmvnpBTnUNvAmh.bat" "

C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe

"C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\fr-FR\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\fr-FR\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\bridgeChainPortRuntimesvc\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\bridgeChainPortRuntimesvc\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\bridgeChainPortRuntimesvc\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Recent\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Recent\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f

C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe

"C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\schtasks.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\schtasks.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\schtasks.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\3c6609c2-3a8b-11ef-9675-d685e2345d05\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\winlogon.exe'" /rl HIGHEST /f

C:\Windows\it-IT\csrss.exe

"C:\Windows\it-IT\csrss.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 a1008137.xsph.ru udp
RU 141.8.195.33:80 a1008137.xsph.ru tcp
RU 141.8.195.33:80 a1008137.xsph.ru tcp
RU 141.8.195.33:80 a1008137.xsph.ru tcp
RU 141.8.195.33:80 a1008137.xsph.ru tcp

Files

C:\bridgeChainPortRuntimesvc\KYWZumt8BUk9utkyDTH3KdoPURzn.vbe

MD5 ba25eeb03e04ab1178271aaef7bf5ddf
SHA1 8545d635a9399f59cf14b906f94f9ab477bade13
SHA256 27c70f4f1d7f74e55c64bbc362517f9e1747ff088bbc8c39d0d863dd97ce2e1b
SHA512 902de5ed4d696a4f68e5325fd658c14b1919f2c8335d25fc8711a0f6648c1734f3883ece711121741fe6c213e17c4710c8a2f0142a901792d8e2f39f388994e9

C:\bridgeChainPortRuntimesvc\NzJd90omClmvnpBTnUNvAmh.bat

MD5 454b0a8c65b51ac0f6943432a048286b
SHA1 dcd28039faf373d530675b26cf3a129af123a372
SHA256 2a24e0ba60aadef03e44ae2426da5f004b2c38aa954294a600a84ca7c09d61f0
SHA512 18d3428fd739f556b15617b1f755590220acbd8049155443f9d8501162dfb79e9c82cabebe6a72a6dcdd19b6b45e234207ae18cce60c02c179f979ef3c932460

\bridgeChainPortRuntimesvc\blockWebmonitor.exe

MD5 8af54f49a06f90d75b53c959e2cf18c4
SHA1 7b9eb10069a742536269e4cf774f2dabb55621d3
SHA256 c931d6645fe8fcc0a50a65e0a2ba3d12eaa3f1e0e3081a7556dc31d2e55c133e
SHA512 deb24679a1c6cf20886f32db035d30a4cf97f6c572cc473923b68092e9ed3ebcf86ba35f5f1624d3c64ff008fdfd9c01f1d581203a84d947cfc5cfe43eaeb25b

memory/2804-13-0x0000000000E60000-0x0000000000F92000-memory.dmp

memory/2804-14-0x0000000000A00000-0x0000000000A1C000-memory.dmp

memory/2804-15-0x0000000000A20000-0x0000000000A36000-memory.dmp

memory/2804-16-0x0000000000750000-0x000000000075C000-memory.dmp

memory/2264-52-0x0000000000230000-0x0000000000362000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat

MD5 2020ae7235e4ca2d098b2a6acfd6a923
SHA1 b390363f25cf5539bbaefffe4805893a3fd4f016
SHA256 caec56565830252605e355886227771736c3d40808a423e97f93a2dcb632a34e
SHA512 13a3b1ebec1f09d0eee9866e8c403c66a29fb530b0c9056246d623e495fac915b5868471b51d95c869636eded94b6115d234a645971d27e7b14eeeda5ecbf9fa

memory/2264-101-0x000000001AE10000-0x000000001AE20000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-19 10:56

Reported

2024-07-19 10:58

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\e6c9b481da804f C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\services.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Program Files (x86)\Common Files\Java\RuntimeBroker.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Program Files (x86)\Windows NT\9e8d7a4ca61bd9 C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Program Files\Windows Multimedia Platform\WaaSMedicAgent.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\OfficeClickToRun.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Program Files\Internet Explorer\fr-FR\088424020bedd6 C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\c5b4cb5e9653cc C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Program Files (x86)\Common Files\Java\9e8d7a4ca61bd9 C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Program Files (x86)\Windows NT\RuntimeBroker.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Program Files\Windows Multimedia Platform\c82b8037eab33d C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Program Files\Internet Explorer\fr-FR\conhost.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\GAC_64\System.Data.OracleClient\f3b6ecef712a24 C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Windows\WaaS\tasks\csrss.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\System.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\27d1bcfc3c54e0 C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File created C:\Windows\assembly\GAC_64\System.Data.OracleClient\spoolsv.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
File opened for modification C:\Windows\assembly\GAC_64\System.Data.OracleClient\spoolsv.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000_Classes\Local Settings C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Recovery\WindowsRE\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\dllhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4720 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\SysWOW64\WScript.exe
PID 4720 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\SysWOW64\WScript.exe
PID 4720 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\SysWOW64\WScript.exe
PID 2360 wrote to memory of 3776 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 3776 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 3776 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3776 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe
PID 3776 wrote to memory of 1956 N/A C:\Windows\SysWOW64\cmd.exe C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe
PID 1956 wrote to memory of 3480 N/A C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe C:\Windows\System32\cmd.exe
PID 1956 wrote to memory of 3480 N/A C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe C:\Windows\System32\cmd.exe
PID 3480 wrote to memory of 5112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3480 wrote to memory of 5112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3480 wrote to memory of 4268 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\dllhost.exe
PID 3480 wrote to memory of 4268 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\dllhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\bridgeChainPortRuntimesvc\KYWZumt8BUk9utkyDTH3KdoPURzn.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\bridgeChainPortRuntimesvc\NzJd90omClmvnpBTnUNvAmh.bat" "

C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe

"C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\GAC_64\System.Data.OracleClient\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_64\System.Data.OracleClient\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\GAC_64\System.Data.OracleClient\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Java\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Java\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Cookies\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Cookies\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\bridgeChainPortRuntimesvc\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\bridgeChainPortRuntimesvc\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\bridgeChainPortRuntimesvc\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Public\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Public\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\bridgeChainPortRuntimesvc\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\bridgeChainPortRuntimesvc\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\bridgeChainPortRuntimesvc\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\bridgeChainPortRuntimesvc\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\bridgeChainPortRuntimesvc\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\bridgeChainPortRuntimesvc\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\fr-FR\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\fr-FR\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Temp\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Temp\services.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ftxc1rxNOb.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\dllhost.exe

"C:\Recovery\WindowsRE\dllhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 a1008137.xsph.ru udp
RU 141.8.195.33:80 a1008137.xsph.ru tcp
RU 141.8.195.33:80 a1008137.xsph.ru tcp
US 8.8.8.8:53 33.195.8.141.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 141.8.195.33:80 a1008137.xsph.ru tcp

Files

C:\bridgeChainPortRuntimesvc\KYWZumt8BUk9utkyDTH3KdoPURzn.vbe

MD5 ba25eeb03e04ab1178271aaef7bf5ddf
SHA1 8545d635a9399f59cf14b906f94f9ab477bade13
SHA256 27c70f4f1d7f74e55c64bbc362517f9e1747ff088bbc8c39d0d863dd97ce2e1b
SHA512 902de5ed4d696a4f68e5325fd658c14b1919f2c8335d25fc8711a0f6648c1734f3883ece711121741fe6c213e17c4710c8a2f0142a901792d8e2f39f388994e9

C:\bridgeChainPortRuntimesvc\NzJd90omClmvnpBTnUNvAmh.bat

MD5 454b0a8c65b51ac0f6943432a048286b
SHA1 dcd28039faf373d530675b26cf3a129af123a372
SHA256 2a24e0ba60aadef03e44ae2426da5f004b2c38aa954294a600a84ca7c09d61f0
SHA512 18d3428fd739f556b15617b1f755590220acbd8049155443f9d8501162dfb79e9c82cabebe6a72a6dcdd19b6b45e234207ae18cce60c02c179f979ef3c932460

C:\bridgeChainPortRuntimesvc\blockWebmonitor.exe

MD5 8af54f49a06f90d75b53c959e2cf18c4
SHA1 7b9eb10069a742536269e4cf774f2dabb55621d3
SHA256 c931d6645fe8fcc0a50a65e0a2ba3d12eaa3f1e0e3081a7556dc31d2e55c133e
SHA512 deb24679a1c6cf20886f32db035d30a4cf97f6c572cc473923b68092e9ed3ebcf86ba35f5f1624d3c64ff008fdfd9c01f1d581203a84d947cfc5cfe43eaeb25b

memory/1956-12-0x00007FFEE7C23000-0x00007FFEE7C25000-memory.dmp

memory/1956-13-0x00000000006B0000-0x00000000007E2000-memory.dmp

memory/1956-14-0x0000000002900000-0x000000000291C000-memory.dmp

memory/1956-15-0x000000001BB10000-0x000000001BB60000-memory.dmp

memory/1956-16-0x0000000002920000-0x0000000002936000-memory.dmp

memory/1956-17-0x000000001B420000-0x000000001B42C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Ftxc1rxNOb.bat

MD5 8303af4f00a445114bd7d5df3a8357fb
SHA1 2d59f57fa62aa76f02b2c4a906556d89e6945815
SHA256 93c95ee1a1a96be00f01c2b2b4dab41572390339f66252f4c334f0be1d1152a1
SHA512 4d9ac908298377c97e0d0a10c3ef4439c287431d983b4448c27632a730c15eee1f92def85057334b6f39d8d272511979999faf2619c685411a7bc0f491f958b3