Malware Analysis Report

2024-10-10 13:08

Sample ID 240617-rh4yastgkd
Target EX Cheker.exe
SHA256 4c3355cc4f926ad3bc4f84e788068a50cb2a1f504d370aaaacfab6637a5e25cf
Tags
rat dcrat evasion infostealer spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c3355cc4f926ad3bc4f84e788068a50cb2a1f504d370aaaacfab6637a5e25cf

Threat Level: Known bad

The file EX Cheker.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat evasion infostealer spyware stealer trojan

DCRat payload

Dcrat family

DcRat

UAC bypass

Process spawned unexpected child process

DCRat payload

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

System policy modification

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 14:12

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 14:12

Reported

2024-06-17 14:15

Platform

win7-20240419-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EX Cheker.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\SavesCommon\blockSurrogatesession.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\SavesCommon\blockSurrogatesession.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\SavesCommon\blockSurrogatesession.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Recent\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Recent\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Recent\dwm.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\SavesCommon\blockSurrogatesession.exe N/A
N/A N/A C:\Users\Default\Recent\dwm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\SavesCommon\blockSurrogatesession.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Default\Recent\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Recent\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\SavesCommon\blockSurrogatesession.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Portable Devices\wininit.exe C:\SavesCommon\blockSurrogatesession.exe N/A
File created C:\Program Files\Windows Portable Devices\56085415360792 C:\SavesCommon\blockSurrogatesession.exe N/A
File created C:\Program Files\Windows Portable Devices\audiodg.exe C:\SavesCommon\blockSurrogatesession.exe N/A
File created C:\Program Files\Windows Portable Devices\42af1c969fbb7b C:\SavesCommon\blockSurrogatesession.exe N/A
File created C:\Program Files (x86)\Internet Explorer\SIGNUP\lsm.exe C:\SavesCommon\blockSurrogatesession.exe N/A
File created C:\Program Files (x86)\Internet Explorer\SIGNUP\101b941d020240 C:\SavesCommon\blockSurrogatesession.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\en-US\dwm.exe C:\SavesCommon\blockSurrogatesession.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\en-US\6cb0b6c459d5d3 C:\SavesCommon\blockSurrogatesession.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Downloaded Program Files\f3b6ecef712a24 C:\SavesCommon\blockSurrogatesession.exe N/A
File created C:\Windows\ModemLogs\blockSurrogatesession.exe C:\SavesCommon\blockSurrogatesession.exe N/A
File opened for modification C:\Windows\ModemLogs\blockSurrogatesession.exe C:\SavesCommon\blockSurrogatesession.exe N/A
File created C:\Windows\ModemLogs\ecc492c2ce78f8 C:\SavesCommon\blockSurrogatesession.exe N/A
File created C:\Windows\schemas\EAPMethods\spoolsv.exe C:\SavesCommon\blockSurrogatesession.exe N/A
File created C:\Windows\Downloaded Program Files\spoolsv.exe C:\SavesCommon\blockSurrogatesession.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Default\Recent\dwm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\SavesCommon\blockSurrogatesession.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Recent\dwm.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\EX Cheker.exe C:\Windows\SysWOW64\WScript.exe
PID 2128 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\EX Cheker.exe C:\Windows\SysWOW64\WScript.exe
PID 2128 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\EX Cheker.exe C:\Windows\SysWOW64\WScript.exe
PID 2128 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\EX Cheker.exe C:\Windows\SysWOW64\WScript.exe
PID 2720 wrote to memory of 2560 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2560 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2560 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2720 wrote to memory of 2560 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\SavesCommon\blockSurrogatesession.exe
PID 2560 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\SavesCommon\blockSurrogatesession.exe
PID 2560 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\SavesCommon\blockSurrogatesession.exe
PID 2560 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\SavesCommon\blockSurrogatesession.exe
PID 2676 wrote to memory of 2488 N/A C:\SavesCommon\blockSurrogatesession.exe C:\Users\Default\Recent\dwm.exe
PID 2676 wrote to memory of 2488 N/A C:\SavesCommon\blockSurrogatesession.exe C:\Users\Default\Recent\dwm.exe
PID 2676 wrote to memory of 2488 N/A C:\SavesCommon\blockSurrogatesession.exe C:\Users\Default\Recent\dwm.exe
PID 2488 wrote to memory of 2684 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\WScript.exe
PID 2488 wrote to memory of 2684 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\WScript.exe
PID 2488 wrote to memory of 2684 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\WScript.exe
PID 2488 wrote to memory of 2572 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\WScript.exe
PID 2488 wrote to memory of 2572 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\WScript.exe
PID 2488 wrote to memory of 2572 N/A C:\Users\Default\Recent\dwm.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\SavesCommon\blockSurrogatesession.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\SavesCommon\blockSurrogatesession.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Default\Recent\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Default\Recent\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Default\Recent\dwm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\SavesCommon\blockSurrogatesession.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\EX Cheker.exe

"C:\Users\Admin\AppData\Local\Temp\EX Cheker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\SavesCommon\Rykk8j79.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\SavesCommon\aj3oL98d.bat" "

C:\SavesCommon\blockSurrogatesession.exe

"C:\SavesCommon\blockSurrogatesession.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "blockSurrogatesessionb" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\blockSurrogatesession.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "blockSurrogatesession" /sc ONLOGON /tr "'C:\Windows\ModemLogs\blockSurrogatesession.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "blockSurrogatesessionb" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\blockSurrogatesession.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\SavesCommon\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\SavesCommon\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\SavesCommon\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Recent\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Recent\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\SavesCommon\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\SavesCommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\SavesCommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Music\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Music\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f

C:\Users\Default\Recent\dwm.exe

"C:\Users\Default\Recent\dwm.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd8dce4b-58db-4804-8e46-ff83ae2f30b8.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14644e7c-3bea-4981-aa2d-52d8f7941ebd.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 145.14.145.63:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.145.63:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.145.63:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 145.14.144.179:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.144.179:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp

Files

C:\SavesCommon\Rykk8j79.vbe

MD5 8175d3e3a77ac089e12ed87b88918cba
SHA1 ecbf23a03bee2713701f848d3f2f84b50a8c34a3
SHA256 68e1f913ef22c414344c15bd15ecf25155dd751c83ced00e930c305ebf3954b3
SHA512 8cfc2bd383e1983264010d15f1d9c2851947d2e978b5996b81b19f67a79c6485e0e60020267fdf89571a0523d2a7d69ac93089e2c0f5e871c8845ff34361b3f5

C:\SavesCommon\aj3oL98d.bat

MD5 26c7d82b1d69a346f7b6f20bd53ad1aa
SHA1 0e340e2fb78c2f6e82633a29a9eec8b6a80f2403
SHA256 6a9463daf129066a367e794a57eff4eb7b4632945fa3f2869ab63fb218199071
SHA512 60c71bc970d9b236fe4ce0093634a51b144cd4cea7a6a7e4fc9493338f14529d0ad1e24fc927494d6aecebc06078340f9b725ced57fdbd0d751beef9211af991

C:\SavesCommon\blockSurrogatesession.exe

MD5 ccf723c2a4e53539affeb430b0afc5c5
SHA1 257dbd6c98f74502cd70c526b94c33c52930286c
SHA256 27841168a182b17e08a67b67a48467f970ab70a25975c6e8e8c68e38fcfbce36
SHA512 083eae82fc45ce1d22c4bb2b0e21e3242d199690608d1e9c52a4e7e93bd59ee46c3beb0c38554513ec06bf9ec4c3d584334ed316cef0b5e4c00cebe27c5ae971

memory/2676-13-0x00000000009A0000-0x0000000000B0C000-memory.dmp

memory/2676-14-0x0000000000440000-0x000000000044E000-memory.dmp

memory/2676-15-0x0000000000450000-0x000000000046C000-memory.dmp

memory/2676-16-0x0000000000470000-0x0000000000480000-memory.dmp

memory/2676-17-0x0000000000600000-0x0000000000616000-memory.dmp

memory/2676-18-0x0000000000660000-0x000000000066A000-memory.dmp

memory/2676-19-0x0000000000670000-0x000000000067A000-memory.dmp

memory/2676-20-0x0000000000680000-0x0000000000688000-memory.dmp

memory/2676-21-0x0000000000930000-0x000000000093C000-memory.dmp

memory/2488-64-0x0000000000AD0000-0x0000000000C3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\14644e7c-3bea-4981-aa2d-52d8f7941ebd.vbs

MD5 427656e4bd23d25cba16314aa7d50227
SHA1 86370e71ad68d014b74c7a00c4ff7dd2ff3d98da
SHA256 0a51f07eb903a1a57f475d46090cb137a83e6e8ded5b2ae315a50411b0c0cbf7
SHA512 fbc55d5b6355a6ac4f348a7cb6567a043a4ca5c4a4d7741a55f366c69f5bbdc240f120471ad32406dc3bc9b981072cecf14ad7bfc0777c9f9e02289ad6cb83b5

C:\Users\Admin\AppData\Local\Temp\dd8dce4b-58db-4804-8e46-ff83ae2f30b8.vbs

MD5 9745304d6ee3a141ce6d6ad06409fdb3
SHA1 07c46756824db9bfeb3622218d9b30d0ce5dfcc5
SHA256 de9e8cfc190fc32652ec1b2a97f041d8d49fb6951dc4040e91e02c4d242c3479
SHA512 22363033092c263a90a5d2c68f1a5b2a791227c5c9823207ddd36580c5474cf1e3738ffd1b12ce403d2f6a436dc7f2d9c2fc0ccf9de93421bbcedc9e82cb488d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 14:12

Reported

2024-06-17 14:15

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\EX Cheker.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\SavesCommon\blockSurrogatesession.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\SavesCommon\blockSurrogatesession.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\SavesCommon\blockSurrogatesession.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EX Cheker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\SavesCommon\blockSurrogatesession.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\SavesCommon\blockSurrogatesession.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\SavesCommon\blockSurrogatesession.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\SavesCommon\blockSurrogatesession.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\SearchApp.exe C:\SavesCommon\blockSurrogatesession.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\fontdrvhost.exe C:\SavesCommon\blockSurrogatesession.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\5b884080fd4f94 C:\SavesCommon\blockSurrogatesession.exe N/A
File created C:\Program Files\Common Files\microsoft shared\Source Engine\sppsvc.exe C:\SavesCommon\blockSurrogatesession.exe N/A
File created C:\Program Files\Common Files\microsoft shared\Source Engine\0a1fd5f707cd16 C:\SavesCommon\blockSurrogatesession.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\explorer.exe C:\SavesCommon\blockSurrogatesession.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\7a0fd90576e088 C:\SavesCommon\blockSurrogatesession.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\38384e6a620884 C:\SavesCommon\blockSurrogatesession.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe C:\SavesCommon\blockSurrogatesession.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\fonts\9e8d7a4ca61bd9 C:\SavesCommon\blockSurrogatesession.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\EX Cheker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\SavesCommon\blockSurrogatesession.exe N/A
N/A N/A C:\SavesCommon\blockSurrogatesession.exe N/A
N/A N/A C:\SavesCommon\blockSurrogatesession.exe N/A
N/A N/A C:\SavesCommon\blockSurrogatesession.exe N/A
N/A N/A C:\SavesCommon\blockSurrogatesession.exe N/A
N/A N/A C:\SavesCommon\blockSurrogatesession.exe N/A
N/A N/A C:\SavesCommon\blockSurrogatesession.exe N/A
N/A N/A C:\SavesCommon\blockSurrogatesession.exe N/A
N/A N/A C:\SavesCommon\blockSurrogatesession.exe N/A
N/A N/A C:\SavesCommon\blockSurrogatesession.exe N/A
N/A N/A C:\SavesCommon\blockSurrogatesession.exe N/A
N/A N/A C:\SavesCommon\blockSurrogatesession.exe N/A
N/A N/A C:\SavesCommon\blockSurrogatesession.exe N/A
N/A N/A C:\SavesCommon\blockSurrogatesession.exe N/A
N/A N/A C:\SavesCommon\blockSurrogatesession.exe N/A
N/A N/A C:\SavesCommon\blockSurrogatesession.exe N/A
N/A N/A C:\SavesCommon\blockSurrogatesession.exe N/A
N/A N/A C:\SavesCommon\blockSurrogatesession.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\SavesCommon\blockSurrogatesession.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\EX Cheker.exe C:\Windows\SysWOW64\WScript.exe
PID 2224 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\EX Cheker.exe C:\Windows\SysWOW64\WScript.exe
PID 2224 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\EX Cheker.exe C:\Windows\SysWOW64\WScript.exe
PID 2392 wrote to memory of 2320 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2320 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 2320 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2320 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\SavesCommon\blockSurrogatesession.exe
PID 2320 wrote to memory of 5016 N/A C:\Windows\SysWOW64\cmd.exe C:\SavesCommon\blockSurrogatesession.exe
PID 5016 wrote to memory of 1332 N/A C:\SavesCommon\blockSurrogatesession.exe C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe
PID 5016 wrote to memory of 1332 N/A C:\SavesCommon\blockSurrogatesession.exe C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe
PID 1332 wrote to memory of 3116 N/A C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1332 wrote to memory of 3116 N/A C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1332 wrote to memory of 1744 N/A C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe C:\Windows\System32\WScript.exe
PID 1332 wrote to memory of 1744 N/A C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\SavesCommon\blockSurrogatesession.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\SavesCommon\blockSurrogatesession.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\SavesCommon\blockSurrogatesession.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\EX Cheker.exe

"C:\Users\Admin\AppData\Local\Temp\EX Cheker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\SavesCommon\Rykk8j79.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\SavesCommon\aj3oL98d.bat" "

C:\SavesCommon\blockSurrogatesession.exe

"C:\SavesCommon\blockSurrogatesession.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft OneDrive\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft OneDrive\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\SavesCommon\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\SavesCommon\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\SavesCommon\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\SavesCommon\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\SavesCommon\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\SavesCommon\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\microsoft shared\Source Engine\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Videos\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\SavesCommon\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\SavesCommon\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\SavesCommon\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\SavesCommon\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\SavesCommon\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\SavesCommon\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe

"C:\Program Files\VideoLAN\VLC\skins\fonts\RuntimeBroker.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04801d5a-46ac-4ec5-8647-098b3751923e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b8ea4ed-6d38-44c6-931a-1940b331acef.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 145.14.144.161:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 145.14.144.161:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 8.8.8.8:53 161.144.14.145.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 145.14.144.161:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 8.8.8.8:53 sddfasdasfdewfdsaffd.000webhostapp.com udp
US 145.14.145.138:80 sddfasdasfdewfdsaffd.000webhostapp.com tcp
US 8.8.8.8:53 138.145.14.145.in-addr.arpa udp

Files

C:\SavesCommon\Rykk8j79.vbe

MD5 8175d3e3a77ac089e12ed87b88918cba
SHA1 ecbf23a03bee2713701f848d3f2f84b50a8c34a3
SHA256 68e1f913ef22c414344c15bd15ecf25155dd751c83ced00e930c305ebf3954b3
SHA512 8cfc2bd383e1983264010d15f1d9c2851947d2e978b5996b81b19f67a79c6485e0e60020267fdf89571a0523d2a7d69ac93089e2c0f5e871c8845ff34361b3f5

C:\SavesCommon\aj3oL98d.bat

MD5 26c7d82b1d69a346f7b6f20bd53ad1aa
SHA1 0e340e2fb78c2f6e82633a29a9eec8b6a80f2403
SHA256 6a9463daf129066a367e794a57eff4eb7b4632945fa3f2869ab63fb218199071
SHA512 60c71bc970d9b236fe4ce0093634a51b144cd4cea7a6a7e4fc9493338f14529d0ad1e24fc927494d6aecebc06078340f9b725ced57fdbd0d751beef9211af991

C:\SavesCommon\blockSurrogatesession.exe

MD5 ccf723c2a4e53539affeb430b0afc5c5
SHA1 257dbd6c98f74502cd70c526b94c33c52930286c
SHA256 27841168a182b17e08a67b67a48467f970ab70a25975c6e8e8c68e38fcfbce36
SHA512 083eae82fc45ce1d22c4bb2b0e21e3242d199690608d1e9c52a4e7e93bd59ee46c3beb0c38554513ec06bf9ec4c3d584334ed316cef0b5e4c00cebe27c5ae971

memory/5016-13-0x00007FFEC06F3000-0x00007FFEC06F5000-memory.dmp

memory/5016-12-0x00000000001E0000-0x000000000034C000-memory.dmp

memory/5016-14-0x0000000002460000-0x000000000246E000-memory.dmp

memory/5016-15-0x0000000002470000-0x000000000248C000-memory.dmp

memory/5016-16-0x00000000024E0000-0x0000000002530000-memory.dmp

memory/5016-17-0x0000000002490000-0x00000000024A0000-memory.dmp

memory/5016-18-0x00000000024A0000-0x00000000024B6000-memory.dmp

memory/5016-19-0x00000000024C0000-0x00000000024CA000-memory.dmp

memory/5016-20-0x00000000024D0000-0x00000000024DA000-memory.dmp

memory/5016-22-0x000000001B020000-0x000000001B02C000-memory.dmp

memory/5016-21-0x000000001B010000-0x000000001B018000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\04801d5a-46ac-4ec5-8647-098b3751923e.vbs

MD5 31a68ce092a399f11a8e9d5a4242961c
SHA1 9d09455cfbd8e6158ea233dd45fa15427f5dd27f
SHA256 0fdae8d1af320c82150d2403d7aeeeabcfeb48f24034144ea9247f1d0a74d0f5
SHA512 5e6cff19197e4100af10a34819df567790fc3681e8cc6d239b485e6eea052a8699a1818038f299719293d143de2b44bb7d38420ba1c40c987b30ebcaa0814466

C:\Users\Admin\AppData\Local\Temp\4b8ea4ed-6d38-44c6-931a-1940b331acef.vbs

MD5 7e69e8580ae4016d06974a4715a2cbac
SHA1 6a2de28b7933129f89dd3dcdaef6d5447ff8e254
SHA256 6430aafc4887d3844fe064fc6713918b0cb229977923725ac60e45648683e7c4
SHA512 7d50bf0b4501eaf6dafc16dbb3ea13ba428aac7df43f96ce3ca4153a5f493b39f68c7701ffcdb2aab877d6732b1d4c62cb4c5b46b534496735a00731b4fc18ce

memory/1332-111-0x000000001E400000-0x000000001E5A9000-memory.dmp