Malware Analysis Report

2025-08-06 00:36

Sample ID 231205-vq524sde35
Target Yar.pif
SHA256 e7786686b2b48fd0e29d9c18ffeebb816a75f4e5704170fb9858f7bb9e6d3ff1
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e7786686b2b48fd0e29d9c18ffeebb816a75f4e5704170fb9858f7bb9e6d3ff1

Threat Level: Known bad

The file Yar.pif was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DCRat payload

Process spawned unexpected child process

Dcrat family

DcRat

DCRat payload

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-05 17:12

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-05 17:12

Reported

2023-12-05 17:18

Platform

win7-20231023-en

Max time kernel

131s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Yar.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
N/A N/A C:\Users\All Users\Favorites\taskhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cc11b995f2a76d C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\cmd.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\ebf1f9fa8afd6d C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files\Java\jre7\bin\plugin2\42af1c969fbb7b C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\explorer.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files\Windows Media Player\es-ES\7a0fd90576e088 C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Help\mui\0411\dwm.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Windows\Help\mui\0411\6cb0b6c459d5d3 C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\All Users\Favorites\taskhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Favorites\taskhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1820 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\Yar.exe C:\Windows\SysWOW64\WScript.exe
PID 1820 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\Yar.exe C:\Windows\SysWOW64\WScript.exe
PID 1820 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\Yar.exe C:\Windows\SysWOW64\WScript.exe
PID 1820 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\Yar.exe C:\Windows\SysWOW64\WScript.exe
PID 2172 wrote to memory of 2604 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2604 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2604 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2604 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe
PID 2604 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe
PID 2604 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe
PID 2604 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe
PID 2376 wrote to memory of 1740 N/A C:\Bridgehypersurrogate\portsurrogatemonitor.exe C:\Windows\System32\cmd.exe
PID 2376 wrote to memory of 1740 N/A C:\Bridgehypersurrogate\portsurrogatemonitor.exe C:\Windows\System32\cmd.exe
PID 2376 wrote to memory of 1740 N/A C:\Bridgehypersurrogate\portsurrogatemonitor.exe C:\Windows\System32\cmd.exe
PID 1740 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1740 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1740 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1740 wrote to memory of 2272 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Favorites\taskhost.exe
PID 1740 wrote to memory of 2272 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Favorites\taskhost.exe
PID 1740 wrote to memory of 2272 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Favorites\taskhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Yar.exe

"C:\Users\Admin\AppData\Local\Temp\Yar.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Bridgehypersurrogate\mtYSF.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Bridgehypersurrogate\vhpRdxgjT8JEEAKHpAXjiDc8va.bat" "

C:\Bridgehypersurrogate\portsurrogatemonitor.exe

"C:\Bridgehypersurrogate\portsurrogatemonitor.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\mui\0411\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Help\mui\0411\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\mui\0411\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "portsurrogatemonitorp" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\portsurrogatemonitor.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "portsurrogatemonitor" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\portsurrogatemonitor.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "portsurrogatemonitorp" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\Sample Videos\portsurrogatemonitor.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\SendTo\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\SendTo\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\bin\plugin2\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "portsurrogatemonitorp" /sc MINUTE /mo 7 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\portsurrogatemonitor.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "portsurrogatemonitor" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\portsurrogatemonitor.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "portsurrogatemonitorp" /sc MINUTE /mo 14 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\portsurrogatemonitor.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\es-ES\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\es-ES\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\8085ef82-71fa-11ee-8ff5-ea7cdd3ca6eb\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RFscmbZ2Qm.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\Favorites\taskhost.exe

"C:\Users\All Users\Favorites\taskhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0892776.xsph.ru udp
RU 141.8.192.6:80 a0892776.xsph.ru tcp
RU 141.8.192.6:80 a0892776.xsph.ru tcp
RU 141.8.192.6:80 a0892776.xsph.ru tcp

Files

C:\Bridgehypersurrogate\mtYSF.vbe

MD5 72f05710288e42849e3835e7f5cb7748
SHA1 e866b3ff38d5109cf5e1e16c692358bceef4473d
SHA256 acceb8a17863212277b22f009d76118e4d9aa5e76ca66fe2602b02fe2fcb9c3b
SHA512 52fd1010e2455c65fb9eef4000b096af5aee79561260e7d238cd261ac28377402d26ff57aa5e86fc18156a5ab273f0aba2c25f7c899d6359b47dcfe3e0c7f0b0

C:\Bridgehypersurrogate\vhpRdxgjT8JEEAKHpAXjiDc8va.bat

MD5 8340b7a68f0e70aca070b138792520d4
SHA1 aeea5b3aabda84add611832ccb2badd157e8444e
SHA256 f747e81cbf3144de5af7f620fcfc64daf38f43bb8a1ac3ba35d14805665f6c12
SHA512 4e96073d06dcca9cf6d8ac52f7dbebd0ac106e7108f1c3ffb23425e176feb2306efe2d2b846aa13c7365f33499c75a14167bd6d4b4c61fbf223ed99b968e771f

\Bridgehypersurrogate\portsurrogatemonitor.exe

MD5 9177dc1235ce8da32d20e3367b018637
SHA1 9785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA256 98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512 a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

\Bridgehypersurrogate\portsurrogatemonitor.exe

MD5 9177dc1235ce8da32d20e3367b018637
SHA1 9785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA256 98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512 a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

C:\Bridgehypersurrogate\portsurrogatemonitor.exe

MD5 9177dc1235ce8da32d20e3367b018637
SHA1 9785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA256 98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512 a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

C:\Bridgehypersurrogate\portsurrogatemonitor.exe

MD5 9177dc1235ce8da32d20e3367b018637
SHA1 9785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA256 98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512 a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

memory/2376-13-0x0000000000BC0000-0x0000000000C96000-memory.dmp

memory/2376-14-0x000007FEF6110000-0x000007FEF6AFC000-memory.dmp

memory/2376-15-0x000000001B010000-0x000000001B090000-memory.dmp

C:\Windows\Help\mui\0411\dwm.exe

MD5 9177dc1235ce8da32d20e3367b018637
SHA1 9785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA256 98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512 a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

C:\Users\Admin\AppData\Local\Temp\RFscmbZ2Qm.bat

MD5 854a8abfb62a5f4d9ed525d7607c9433
SHA1 e6b2a1af2dbe9fa4d14113ec05d83824f79a24e3
SHA256 d1565f8fec41bf55d36891846f68c0268fcd682dc0fce61d4d3ba28ffae0cb1e
SHA512 8bd295aaa461e3eaa19df3ef7c65a4b0719cd3a8c7348bffcbe8cec82dbd5929cc5e4b26904baaddc342a01344c4e6bb319db698615118a8947fd78683527d6d

memory/2376-49-0x000007FEF6110000-0x000007FEF6AFC000-memory.dmp

C:\Users\All Users\Favorites\taskhost.exe

MD5 9177dc1235ce8da32d20e3367b018637
SHA1 9785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA256 98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512 a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

C:\Users\Public\Favorites\taskhost.exe

MD5 9177dc1235ce8da32d20e3367b018637
SHA1 9785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA256 98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512 a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

memory/2272-53-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

memory/2272-52-0x0000000000FE0000-0x00000000010B6000-memory.dmp

memory/2272-54-0x000000001B1E0000-0x000000001B260000-memory.dmp

memory/2272-55-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

memory/2272-56-0x000000001B1E0000-0x000000001B260000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-05 17:12

Reported

2023-12-05 17:18

Platform

win10v2004-20231127-en

Max time kernel

145s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Yar.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Yar.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Control Panel\International\Geo\Nation C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\MSBuild\24dbde2999530e C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\csrss.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files (x86)\Windows Defender\ja-JP\7a0fd90576e088 C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files\VideoLAN\VLC\c5b4cb5e9653cc C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\conhost.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\088424020bedd6 C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files\Windows Multimedia Platform\9e8d7a4ca61bd9 C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\RuntimeBroker.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files (x86)\Windows Defender\ja-JP\OfficeClickToRun.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\c82b8037eab33d C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files (x86)\Windows Defender\ja-JP\e6c9b481da804f C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\dllhost.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files\Uninstall Information\OfficeClickToRun.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files\MSBuild\WmiPrvSE.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files (x86)\Windows Defender\ja-JP\explorer.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files\VideoLAN\VLC\services.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\WaaSMedicAgent.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files\Uninstall Information\e6c9b481da804f C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\5940a34987c991 C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files\WindowsPowerShell\StartMenuExperienceHost.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\9e8d7a4ca61bd9 C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Program Files\WindowsPowerShell\55b276f4edf653 C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\de-DE\MoUsoCoreWorker.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
File created C:\Windows\de-DE\1f93f77a7f4778 C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Yar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000_Classes\Local Settings C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\de-DE\MoUsoCoreWorker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
Token: SeDebugPrivilege N/A C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
Token: SeDebugPrivilege N/A C:\Bridgehypersurrogate\portsurrogatemonitor.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\MoUsoCoreWorker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\Yar.exe C:\Windows\SysWOW64\WScript.exe
PID 2636 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\Yar.exe C:\Windows\SysWOW64\WScript.exe
PID 2636 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\Yar.exe C:\Windows\SysWOW64\WScript.exe
PID 4396 wrote to memory of 1552 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 1552 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4396 wrote to memory of 1552 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe
PID 1552 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe
PID 1504 wrote to memory of 3404 N/A C:\Bridgehypersurrogate\portsurrogatemonitor.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe
PID 1504 wrote to memory of 3404 N/A C:\Bridgehypersurrogate\portsurrogatemonitor.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe
PID 3404 wrote to memory of 2412 N/A C:\Bridgehypersurrogate\portsurrogatemonitor.exe C:\Windows\System32\cmd.exe
PID 3404 wrote to memory of 2412 N/A C:\Bridgehypersurrogate\portsurrogatemonitor.exe C:\Windows\System32\cmd.exe
PID 2412 wrote to memory of 976 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2412 wrote to memory of 976 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2412 wrote to memory of 1636 N/A C:\Windows\System32\cmd.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe
PID 2412 wrote to memory of 1636 N/A C:\Windows\System32\cmd.exe C:\Bridgehypersurrogate\portsurrogatemonitor.exe
PID 1636 wrote to memory of 4256 N/A C:\Bridgehypersurrogate\portsurrogatemonitor.exe C:\Windows\de-DE\MoUsoCoreWorker.exe
PID 1636 wrote to memory of 4256 N/A C:\Bridgehypersurrogate\portsurrogatemonitor.exe C:\Windows\de-DE\MoUsoCoreWorker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Yar.exe

"C:\Users\Admin\AppData\Local\Temp\Yar.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Bridgehypersurrogate\mtYSF.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Bridgehypersurrogate\vhpRdxgjT8JEEAKHpAXjiDc8va.bat" "

C:\Bridgehypersurrogate\portsurrogatemonitor.exe

"C:\Bridgehypersurrogate\portsurrogatemonitor.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Bridgehypersurrogate\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Bridgehypersurrogate\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Bridgehypersurrogate\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Bridgehypersurrogate\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Bridgehypersurrogate\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default\NetHood\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\NetHood\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Bridgehypersurrogate\backgroundTaskHost.exe'" /f

C:\Bridgehypersurrogate\portsurrogatemonitor.exe

"C:\Bridgehypersurrogate\portsurrogatemonitor.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\SendTo\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Default\SendTo\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\OfficeClickToRun.exe'" /f

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N453jLUqHI.bat"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f

C:\Bridgehypersurrogate\portsurrogatemonitor.exe

"C:\Bridgehypersurrogate\portsurrogatemonitor.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\MSBuild\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\odt\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Bridgehypersurrogate\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Bridgehypersurrogate\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Bridgehypersurrogate\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Bridgehypersurrogate\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Bridgehypersurrogate\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\odt\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\odt\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\de-DE\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\MoUsoCoreWorker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Bridgehypersurrogate\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\de-DE\MoUsoCoreWorker.exe

"C:\Windows\de-DE\MoUsoCoreWorker.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\WmiPrvSE.exe'" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 72.77.123.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 a0892776.xsph.ru udp
RU 141.8.192.6:80 a0892776.xsph.ru tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 6.192.8.141.in-addr.arpa udp
RU 141.8.192.6:80 a0892776.xsph.ru tcp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 80.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
RU 141.8.192.6:80 a0892776.xsph.ru tcp

Files

C:\Bridgehypersurrogate\mtYSF.vbe

MD5 72f05710288e42849e3835e7f5cb7748
SHA1 e866b3ff38d5109cf5e1e16c692358bceef4473d
SHA256 acceb8a17863212277b22f009d76118e4d9aa5e76ca66fe2602b02fe2fcb9c3b
SHA512 52fd1010e2455c65fb9eef4000b096af5aee79561260e7d238cd261ac28377402d26ff57aa5e86fc18156a5ab273f0aba2c25f7c899d6359b47dcfe3e0c7f0b0

C:\Bridgehypersurrogate\vhpRdxgjT8JEEAKHpAXjiDc8va.bat

MD5 8340b7a68f0e70aca070b138792520d4
SHA1 aeea5b3aabda84add611832ccb2badd157e8444e
SHA256 f747e81cbf3144de5af7f620fcfc64daf38f43bb8a1ac3ba35d14805665f6c12
SHA512 4e96073d06dcca9cf6d8ac52f7dbebd0ac106e7108f1c3ffb23425e176feb2306efe2d2b846aa13c7365f33499c75a14167bd6d4b4c61fbf223ed99b968e771f

C:\Bridgehypersurrogate\portsurrogatemonitor.exe

MD5 9177dc1235ce8da32d20e3367b018637
SHA1 9785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA256 98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512 a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

C:\Bridgehypersurrogate\portsurrogatemonitor.exe

MD5 9177dc1235ce8da32d20e3367b018637
SHA1 9785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA256 98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512 a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

memory/1504-12-0x00000000007B0000-0x0000000000886000-memory.dmp

memory/1504-13-0x00007FFB7D810000-0x00007FFB7E2D1000-memory.dmp

memory/1504-14-0x000000001B510000-0x000000001B520000-memory.dmp

C:\Bridgehypersurrogate\backgroundTaskHost.exe

MD5 9177dc1235ce8da32d20e3367b018637
SHA1 9785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA256 98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512 a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

C:\Bridgehypersurrogate\portsurrogatemonitor.exe

MD5 9177dc1235ce8da32d20e3367b018637
SHA1 9785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA256 98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512 a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

memory/3404-38-0x000000001B730000-0x000000001B740000-memory.dmp

memory/1504-37-0x00007FFB7D810000-0x00007FFB7E2D1000-memory.dmp

memory/3404-36-0x00007FFB7D810000-0x00007FFB7E2D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\portsurrogatemonitor.exe.log

MD5 7f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1 d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256 519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA512 8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

C:\Users\Admin\AppData\Local\Temp\N453jLUqHI.bat

MD5 83a00618e44d1fe31302aaa45a35c5f2
SHA1 575b1481438f283eecfedfb04b7983c36f7fd68d
SHA256 46194d5e33b9b8be66aba56f5d15bfe7a0554d4d0b0def5948b07ac393bd5520
SHA512 ab707023b1c30c992185b1c803e0b5dfaf433b78703eebccb8a9df1ded2774fdbbc23747d2a34d1cbecd2254eb5eee4b0ca20760fbc105ff9f1bbc3d9dd1d1d9

memory/3404-52-0x00007FFB7D810000-0x00007FFB7E2D1000-memory.dmp

memory/1636-54-0x00007FFB7D810000-0x00007FFB7E2D1000-memory.dmp

C:\Bridgehypersurrogate\portsurrogatemonitor.exe

MD5 9177dc1235ce8da32d20e3367b018637
SHA1 9785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA256 98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512 a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

memory/1636-55-0x000000001B720000-0x000000001B730000-memory.dmp

C:\Windows\de-DE\MoUsoCoreWorker.exe

MD5 9177dc1235ce8da32d20e3367b018637
SHA1 9785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA256 98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512 a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

memory/4256-95-0x00007FFB7D810000-0x00007FFB7E2D1000-memory.dmp

memory/1636-94-0x00007FFB7D810000-0x00007FFB7E2D1000-memory.dmp

C:\Windows\de-DE\MoUsoCoreWorker.exe

MD5 9177dc1235ce8da32d20e3367b018637
SHA1 9785e90b1869e793af72f4f9b0ef0ae16ec8c68d
SHA256 98c4e03e9fdf63edeeca075cc28a7542b696174980072d4279b6864013179b6d
SHA512 a1cc796ce9618da26f3c7737483f3b21c05b8c4712b871d4a5fcda2581791b4f036e7ae9f4fdbe3b4975f98c943b19141e51da724614162e772ce5a94213e739

memory/4256-96-0x0000000001790000-0x00000000017A0000-memory.dmp

memory/4256-97-0x00007FFB7D810000-0x00007FFB7E2D1000-memory.dmp

memory/4256-98-0x0000000001790000-0x00000000017A0000-memory.dmp