Malware Analysis Report

2025-06-15 19:46

Sample ID 240326-bwyenseb5v
Target 1cf1c8a6b74890f6d1913bf3b9e46a79.bin
SHA256 d973afd9cfbb7f64c9c291742e25c8ac0639144da7f8a027413f7b6ac7a99944
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d973afd9cfbb7f64c9c291742e25c8ac0639144da7f8a027413f7b6ac7a99944

Threat Level: Known bad

The file 1cf1c8a6b74890f6d1913bf3b9e46a79.bin was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DcRat

Process spawned unexpected child process

Dcrat family

DCRat payload

DCRat payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-26 01:30

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-26 01:30

Reported

2024-03-26 01:32

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\BlockSurrogateagentFont\hostnet.exe N/A
N/A N/A C:\BlockSurrogateagentFont\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Games\FreeCell\de-DE\System.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\de-DE\27d1bcfc3c54e0 C:\BlockSurrogateagentFont\hostnet.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PLA\Templates\lsass.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Windows\PLA\Templates\6203df4a6bafc7 C:\BlockSurrogateagentFont\hostnet.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\BlockSurrogateagentFont\hostnet.exe N/A
N/A N/A C:\BlockSurrogateagentFont\hostnet.exe N/A
N/A N/A C:\BlockSurrogateagentFont\hostnet.exe N/A
N/A N/A C:\BlockSurrogateagentFont\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\BlockSurrogateagentFont\hostnet.exe N/A
Token: SeDebugPrivilege N/A C:\BlockSurrogateagentFont\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe C:\Windows\SysWOW64\WScript.exe
PID 2440 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe C:\Windows\SysWOW64\WScript.exe
PID 2440 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe C:\Windows\SysWOW64\WScript.exe
PID 2440 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe C:\Windows\SysWOW64\WScript.exe
PID 2992 wrote to memory of 2576 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2576 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2576 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2576 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 2576 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 2576 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 2576 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 2560 wrote to memory of 2932 N/A C:\BlockSurrogateagentFont\hostnet.exe C:\Windows\System32\cmd.exe
PID 2560 wrote to memory of 2932 N/A C:\BlockSurrogateagentFont\hostnet.exe C:\Windows\System32\cmd.exe
PID 2560 wrote to memory of 2932 N/A C:\BlockSurrogateagentFont\hostnet.exe C:\Windows\System32\cmd.exe
PID 2932 wrote to memory of 896 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2932 wrote to memory of 896 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2932 wrote to memory of 896 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2932 wrote to memory of 1456 N/A C:\Windows\System32\cmd.exe C:\BlockSurrogateagentFont\cmd.exe
PID 2932 wrote to memory of 1456 N/A C:\Windows\System32\cmd.exe C:\BlockSurrogateagentFont\cmd.exe
PID 2932 wrote to memory of 1456 N/A C:\Windows\System32\cmd.exe C:\BlockSurrogateagentFont\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe

"C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\BlockSurrogateagentFont\fQyg6J4g9nmbhwQ5lS61NpcW4.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\BlockSurrogateagentFont\xRLfwMVgfRAMuw596iKz87.bat" "

C:\BlockSurrogateagentFont\hostnet.exe

"C:\BlockSurrogateagentFont\hostnet.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Videos\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\FreeCell\de-DE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\FreeCell\de-DE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\FreeCell\de-DE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\NetFramework\BreadcrumbStore\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\NetFramework\BreadcrumbStore\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\NetFramework\BreadcrumbStore\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\BlockSurrogateagentFont\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\BlockSurrogateagentFont\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\BlockSurrogateagentFont\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\Templates\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Templates\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Templates\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Templates\lsass.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NXbjsV5dMk.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\BlockSurrogateagentFont\cmd.exe

"C:\BlockSurrogateagentFont\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0869574.xsph.ru udp
RU 141.8.197.42:80 a0869574.xsph.ru tcp
RU 141.8.197.42:80 a0869574.xsph.ru tcp

Files

C:\BlockSurrogateagentFont\fQyg6J4g9nmbhwQ5lS61NpcW4.vbe

MD5 277c7ccc3313d83f51d594cba0ae300d
SHA1 48531a959a24846841b8fda471c5fea259f2ca38
SHA256 175078a008fd8a809b77f11c51933d1a9e5181282523819875e7afea24c52b96
SHA512 311e654150ad8bf4bf9b38a7b876f205cf5a450be4b6a9ced8a7e3e15ca1137a4f1dbfac0dce058031a616b4621ec592592db17e10f1753f739f710b1f54c5ac

C:\BlockSurrogateagentFont\xRLfwMVgfRAMuw596iKz87.bat

MD5 15611ce0ff6e3e772e3a8b7ac6cf4653
SHA1 75bc873877b06c9413cc8d1908106ed143cd4bf0
SHA256 630c1433757569b9e123313255a23d50e82a629396121ff21df67a56ebf92ae3
SHA512 1151ee66357bdb4946f534cfe5a509497ccc57668fb874d17977740db6a6796fbdd6893e3196c3dab0be44f9f1b4f1c0f8870593a960a384f978bd5a1813fe71

\BlockSurrogateagentFont\hostnet.exe

MD5 53827648303c620a8fa81a2998ae5ae5
SHA1 8aa7c650f061e7d7f396718e6b4d8934392b60bb
SHA256 b1f886a9cc761bbe9e6bb5287d414d3ba0e1402c6d1c055435985e3bcacbf652
SHA512 273bb61dbde98abc172e9afe83f25e1d2b93d0dcb9a5dd8ebef03f70c677499c4d3c1788a9fa9e71131847ba1a2e6d4ffcdac20c3496b472377756f112d1550d

memory/2560-14-0x0000000000B90000-0x0000000000D12000-memory.dmp

memory/2560-15-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

memory/2560-16-0x000000001B020000-0x000000001B0A0000-memory.dmp

memory/2560-17-0x00000000004D0000-0x00000000004DE000-memory.dmp

memory/2560-18-0x00000000004E0000-0x00000000004FC000-memory.dmp

memory/2560-19-0x0000000000710000-0x0000000000726000-memory.dmp

memory/2560-20-0x0000000000500000-0x0000000000510000-memory.dmp

memory/2560-21-0x0000000000730000-0x0000000000742000-memory.dmp

memory/2560-22-0x0000000000760000-0x000000000076E000-memory.dmp

memory/2560-23-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NXbjsV5dMk.bat

MD5 4ddf41f54a28bbab15b116a41ba10aa3
SHA1 a372c0af8639fe3dd969f00eaf309ed191736a44
SHA256 7240a04aa44c6e80a13e74b71022faac563b073e64a82a50bfd44ba6b862013f
SHA512 af48c461fccd74822ad659fb1df9e1aaee3ea56abdd5eee909c5b143d05b8203c98a4c736af09c8497db073d42d5e03fca4cf23b9b5dff1c48743bfb474326f3

memory/2560-47-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

memory/1456-50-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp

memory/1456-51-0x0000000000E30000-0x0000000000FB2000-memory.dmp

memory/1456-52-0x000000001B050000-0x000000001B0D0000-memory.dmp

memory/1456-53-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-26 01:30

Reported

2024-03-26 01:32

Platform

win10v2004-20240226-en

Max time kernel

133s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\Windows Photo Viewer\f3b6ecef712a24 C:\BlockSurrogateagentFont\hostnet.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\Common Files\DESIGNER\04c1e7795967e4 C:\BlockSurrogateagentFont\hostnet.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\BlockSurrogateagentFont\hostnet.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\BlockSurrogateagentFont\hostnet.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\DESIGNER\TrustedInstaller.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files\Common Files\DESIGNER\04c1e7795967e4 C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files\Windows Photo Viewer\spoolsv.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files\Windows Photo Viewer\f3b6ecef712a24 C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\ee2ad38f3d4382 C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\smss.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files\Common Files\DESIGNER\TrustedInstaller.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Registry.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Registry.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\69ddcba757bf72 C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files\Windows Portable Devices\smss.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Program Files\Windows Portable Devices\69ddcba757bf72 C:\BlockSurrogateagentFont\hostnet.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Resources\Themes\OfficeClickToRun.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Windows\Resources\Themes\e6c9b481da804f C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Windows\Help\mui\0C0A\RuntimeBroker.exe C:\BlockSurrogateagentFont\hostnet.exe N/A
File created C:\Windows\Help\mui\0C0A\9e8d7a4ca61bd9 C:\BlockSurrogateagentFont\hostnet.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings C:\BlockSurrogateagentFont\hostnet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings C:\BlockSurrogateagentFont\hostnet.exe N/A
Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\BlockSurrogateagentFont\hostnet.exe N/A
Token: SeDebugPrivilege N/A C:\BlockSurrogateagentFont\hostnet.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe C:\Windows\SysWOW64\WScript.exe
PID 2604 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe C:\Windows\SysWOW64\WScript.exe
PID 2604 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe C:\Windows\SysWOW64\WScript.exe
PID 3104 wrote to memory of 3400 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 3400 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 3400 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3400 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 3400 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 5100 wrote to memory of 3496 N/A C:\BlockSurrogateagentFont\hostnet.exe C:\Windows\System32\cmd.exe
PID 5100 wrote to memory of 3496 N/A C:\BlockSurrogateagentFont\hostnet.exe C:\Windows\System32\cmd.exe
PID 3496 wrote to memory of 4380 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3496 wrote to memory of 4380 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3496 wrote to memory of 816 N/A C:\Windows\System32\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 3496 wrote to memory of 816 N/A C:\Windows\System32\cmd.exe C:\BlockSurrogateagentFont\hostnet.exe
PID 816 wrote to memory of 2040 N/A C:\BlockSurrogateagentFont\hostnet.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 2040 N/A C:\BlockSurrogateagentFont\hostnet.exe C:\Windows\System32\cmd.exe
PID 2040 wrote to memory of 1276 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2040 wrote to memory of 1276 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2040 wrote to memory of 1308 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\smss.exe
PID 2040 wrote to memory of 1308 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\smss.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe

"C:\Users\Admin\AppData\Local\Temp\6efee44acf580c370d19926398438acb40a8c63120bad4e2502d8a847e011239.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\BlockSurrogateagentFont\fQyg6J4g9nmbhwQ5lS61NpcW4.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\BlockSurrogateagentFont\xRLfwMVgfRAMuw596iKz87.bat" "

C:\BlockSurrogateagentFont\hostnet.exe

"C:\BlockSurrogateagentFont\hostnet.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\DESIGNER\TrustedInstaller.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\DESIGNER\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7XItC9Yz4s.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\BlockSurrogateagentFont\hostnet.exe

"C:\BlockSurrogateagentFont\hostnet.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Links\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Links\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\mui\0C0A\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Help\mui\0C0A\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\mui\0C0A\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Themes\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Themes\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\DRM\Server\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\DRM\Server\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\DRM\Server\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N1eCHl4zkY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\smss.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\smss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 a0869574.xsph.ru udp
RU 141.8.197.42:80 a0869574.xsph.ru tcp
RU 141.8.197.42:80 a0869574.xsph.ru tcp
US 8.8.8.8:53 42.197.8.141.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\BlockSurrogateagentFont\fQyg6J4g9nmbhwQ5lS61NpcW4.vbe

MD5 277c7ccc3313d83f51d594cba0ae300d
SHA1 48531a959a24846841b8fda471c5fea259f2ca38
SHA256 175078a008fd8a809b77f11c51933d1a9e5181282523819875e7afea24c52b96
SHA512 311e654150ad8bf4bf9b38a7b876f205cf5a450be4b6a9ced8a7e3e15ca1137a4f1dbfac0dce058031a616b4621ec592592db17e10f1753f739f710b1f54c5ac

C:\BlockSurrogateagentFont\xRLfwMVgfRAMuw596iKz87.bat

MD5 15611ce0ff6e3e772e3a8b7ac6cf4653
SHA1 75bc873877b06c9413cc8d1908106ed143cd4bf0
SHA256 630c1433757569b9e123313255a23d50e82a629396121ff21df67a56ebf92ae3
SHA512 1151ee66357bdb4946f534cfe5a509497ccc57668fb874d17977740db6a6796fbdd6893e3196c3dab0be44f9f1b4f1c0f8870593a960a384f978bd5a1813fe71

C:\BlockSurrogateagentFont\hostnet.exe

MD5 53827648303c620a8fa81a2998ae5ae5
SHA1 8aa7c650f061e7d7f396718e6b4d8934392b60bb
SHA256 b1f886a9cc761bbe9e6bb5287d414d3ba0e1402c6d1c055435985e3bcacbf652
SHA512 273bb61dbde98abc172e9afe83f25e1d2b93d0dcb9a5dd8ebef03f70c677499c4d3c1788a9fa9e71131847ba1a2e6d4ffcdac20c3496b472377756f112d1550d

memory/5100-12-0x0000000000600000-0x0000000000782000-memory.dmp

memory/5100-13-0x00007FFA4C380000-0x00007FFA4CE41000-memory.dmp

memory/5100-14-0x000000001B3B0000-0x000000001B3C0000-memory.dmp

memory/5100-15-0x000000001B280000-0x000000001B28E000-memory.dmp

memory/5100-16-0x000000001B290000-0x000000001B2AC000-memory.dmp

memory/5100-17-0x000000001B350000-0x000000001B3A0000-memory.dmp

memory/5100-18-0x000000001B2B0000-0x000000001B2C6000-memory.dmp

memory/5100-19-0x000000001B2D0000-0x000000001B2E0000-memory.dmp

memory/5100-20-0x000000001B2E0000-0x000000001B2F2000-memory.dmp

memory/5100-21-0x000000001C130000-0x000000001C658000-memory.dmp

memory/5100-22-0x000000001B320000-0x000000001B32E000-memory.dmp

memory/5100-23-0x000000001B330000-0x000000001B33C000-memory.dmp

memory/5100-33-0x00007FFA4C380000-0x00007FFA4CE41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7XItC9Yz4s.bat

MD5 99feaed4619bba9bd6444a19986de0ba
SHA1 f0857a1f73aec6f2015e354c518ef534f63d76ff
SHA256 b86e47cdd7522e3d9abea2623e238847b61bc2ce00b91d55e110fec566f2ed7a
SHA512 6d9711b742126bf23ef5f96c3d7b515e177622daacc65dba8f39de71b62beb86ddd07ff6ef136b84e7815b7f7f2b390a2e1de144475e72f8049b20ecaa6c0f92

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hostnet.exe.log

MD5 655010c15ea0ca05a6e5ddcd84986b98
SHA1 120bf7e516aeed462c07625fbfcdab5124ad05d3
SHA256 2b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14
SHA512 e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437

memory/816-37-0x00007FFA4C380000-0x00007FFA4CE41000-memory.dmp

memory/816-38-0x000000001B4B0000-0x000000001B4C2000-memory.dmp

memory/816-67-0x00007FFA4C380000-0x00007FFA4CE41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\N1eCHl4zkY.bat

MD5 e990b9deb891d63a0054b2570bf6b39d
SHA1 b2eafc8d8eed7fd9ec0382340535dc8033cf02f1
SHA256 a42e3f78e32701292ab557ed2b16609394e61c2c501656efd510b7d696e17d7f
SHA512 56e7811ad2634d106e4d5ccead0e32ca709d1aaa0430bfae604b9fe0a1258990a6c1e8bde592484be7c40cf9f65b729242f8b95bfab4a0a085ed069b26e03096

memory/1308-72-0x00007FFA4C380000-0x00007FFA4CE41000-memory.dmp

memory/1308-73-0x000000001B790000-0x000000001B7A2000-memory.dmp

memory/1308-75-0x00007FFA4C380000-0x00007FFA4CE41000-memory.dmp